What is SELinux


SELinux is "Security-Enhanced Linux"Abbreviation,Linux is a US National Security Agency, "NSA = The National Security Agency" and SCC (Secure Computing Corporation) developedExtended mandatory access control security module


Development reasons

Because a lot of trade secrets stored on the company's business platform server,personal information,It is directly related to the personal data of personal privacy issues。Especially the government's website,As a platform for information disclosure,It's even more important to safety。These servers are connected to the Internet,Inevitably be subject to threats from around the world。The worst of times our server has been compromised,Home Document to be replaced,Confidential documents stolen。In addition to the threat from the outside of the outer,Criminals access to internal staff,Attack can not be ignored。For these attacks or threats,Of course, there are many ways,Firewall,Intrusion Detection System,Patch, etc.。Because Linux is also the same as other commercial UNIX,There have been all kinds of security vulnerability is found。

Shortcomings of traditional Linux OS

Although Linux than for Windows,Its reliability,Stable given much better,But he is also the same as with other UNIX,There are these deficiencies。

1)The presence of privileged user root
Anyone get root privileges,For the entire system can do whatever they want。This is also the same as Windows。
2)For access to files divided fine enough
In linux system,For file operations,Only the "owner","All set.","Other" division of these three categories。For the "Other" category in the user then carefully divided, then there is no way。
3)Permissions SUID program upgrade
If the program had SUID permissions vulnerability words,It can easily be exploited by attackers。
4)DAC (Discretionary Access Control)Problem
Owner of the file directory can file all operations,This inconvenience to the overall management system。For these deficiencies,Firewall,Intrusion detection systems are powerless。

DAC(Discretionary access control,Discretionary Access Control):

DAC mechanism refers to an object (such as a program、The appropriate permissions files or processes, etc.) of any owner can grant or modify this object。Such as traditional Linux,Windows, etc.。

MAC(Mandatory Access Control,Mandatory Access Control):

MAC mechanism means that the system does not allow objects (such as procedures、A file or folder, etc.) the owner of the object being altered or granted appropriate permissions,But through mandatory unified manner grant permission for each object,For example SELinux。

Advantages of SELinux

SELinuxLinux systems compared to conventional systems,Safety performance is much higher,It does this by the user,Minimization process privileges,Even under attack,Process or user rights taken away,It will not have a significant impact on the entire system。In standard Linux,,Access control attribute of the subject is the process through real and effective user and group ID associated structures in the kernel process,These properties are protected by a large number of tools to use the kernel,Including the login process and setuid program,For files,inode file includes a set of access mode bit、Files user and group ID。Previously based access control read / write / execute these three control bits,File owner、Owner of the file owning group、Others set each。In SELinux,Access control attribute is always a security context trio form,All files and security context has an associated body,Using standard Linux process user / group ID,File access mode,File user / group ID can either visit or rejected.,SELinux security context of the process and object,Needs to be pointed out that,Because the primary access control feature of SELinux is type coercion,Security context determines the access type identifier。To access a file,It must have normal access permissions and access to both the SELinux。Therefore, even run as superuser root process,You may deny access to files or resources in accordance with the process and the SELinux security context of files or resources。

For chestnuts:
In Linux,passwd program can be trusted,Modify the storage through shadow password file encryption password (/ etc / shadow),passwd program performs its own internal security policies,It allows ordinary users to modify their own passwords belong,While allowing the root to modify all passwords。To perform this job Trusted,passwd program needs to have the ability to move and re-create the shadow file,In standard Linux,,It has the privilege,Because the passwd executable file with the setuid bit at the time of execution of the,As the root user (which can access all files) allow,however,Many programs can be permitted as root (in fact,,All programs are likely to allow as root)。This means that any program(When run as root when)They are likely to be able to modify the shadow file。Type coercion so that we can do is to ensure that only the passwd program (or similar trusted program) can access the shadow files,No matter who the user is running the program。

Original article written by Gerber drop-off:R0uter's Blog » What is SELinux

Reproduced Please keep the source and description link:

Leave a Reply

Your email address will not be published. Required fields are marked *