Understanding SELinux
Access control models
What is Mandatory Access Control (MAC)
MAC stands for Mandatory Access Control (MAC). its a security model where users are given permissions to resources by an admin or root. These permissions can ONLY be granted by the root user or administrator.Only an administrator can grant permissions or right to objects and resources. In this model only the administrator can change the object user security clearance or security label
What is Discretionary Access Control (DAC)
DAC stands for Discretionary Access Control (DAC) its a security model where access is given based on user’s identity. A user in the system is only given permissions to a system resource by being putting them on an access control list (ACL) associated with system. You must know that an entry on a resource’s ACL is known as an Access Control Entry (ACE). Study this for the exam. These permissions are active when a user or group is the owner of an object in the DAC model, the user og group can also grant permissions to other users and groups in the same system. Note that the DAC model is based on resource ownership, this is important for the exam.
What is Role-based access control ( RBAC )
RBAC stands for Role-Based Access Control (RBAC). In this security model, access to system resources are based on the role given to a user by the administrator. If an administrator assigns a user to a role that contains certain predetermined system rights and privileges, the user’s association with the role, then the user can access only certain system resources and can perform specific tasks assigned by the rules. Please note, as this is important for the exam, RBACK is also known as Non-Discretionary Access Control. The roles assigned to users are centrally administered by the system administrator.
What is SELinux
SELinux provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel. Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user’s permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. SELinux defines the access and transition rights of every user, application, process, and file on the system.
Why we need SELinux
What is SELinux subject
What is SELinux object
The SELinux Decision Making Process
When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object permissions are cached. If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix. Permission is then granted or denied, with an avc: denied message detailed in /var/log/messages if permission is denied. The security context of subjects and objects is applied from the installed policy, which also provides the information to populate the security server’s matrix.
SELinux Operating Modes
Instead of running in enforcing mode, SELinux can run in permissive mode, where the AVC is checked and denials are logged, but SELinux does not enforce the policy. This can be useful for troubleshooting and for developing or fine-tuning SELinux policy.
What is SELinux context
chaque objet selinux a un context qui est composé par 3 attribut et 1 attribut optionnel avec le format suivant : utilisateur:rôle:type:niveau
What is SELinux type/domain
The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. SELinux policy rules define how types can access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
Un type SELinux est en quelque sorte un regroupement d’objets sur leur similarité d’un point de vue sécurité ; qui ne sont donc pas liés à un contexte ou à un fichier particulier. Par exemple, les dossiers personnels des utilisateurs peuvent contenir des contenus très différents, donc la particularité commune est d’appartenir à un utilisateur ; on trouvera dans ce cas précis le type home_user_t
.
on dit domain pour les objets process et type pour les objets fichier
What is SELinux policy
What is SELinux user
Tout utilisateur Linux est mappé à un utilisateur SELinux par la politique actuelle. Ce mappage permet l’héritage des droits et restrictions de l’utilisateur SELinux correspondant. La liste des utilisateurs SELinux peut être obtenue avec la commande semanage login -l :
What is SELinux role
Les rôles sont l’intermédiaire entre les utilisateurs et les domaines SELinux. Les domaines sont accessibles par des rôles définis, et les rôles sont eux-mêmes accessibles par des utilisateurs définis.
What is SELinux level
What is avc ( access vector cache )
ref :