Security Enhanced Linux (SELinux) is a security feature developed by the U.S. National Security Agency (NSA) with help from other organizations and the Linux community to provide advanced security controls for Linux systems.
DAC V/s MAC
SELinux uses Mandatory Access Control (MAC). MAC differs from the standard Linux Discretionary Access Control (DAC). DAC includes standard file and directory permissions, access control lists (ACLs), and other user privileges. MAC adds extra protection by controlling what users or processes can access and do with the resources they access. It limits potential damage in the event of a security breach. With MAC, the security controls are precise. For example, if an attacker compromises the HTTP service, he can access only the files the HTTP process can reach, not other processes or files on the system. To enforce this control, MAC creates rules called policies that check the security settings of users and resources whenever access is requested. It stores these settings as labels.
Terminology
SELinux uses complex terminology. The following table outlines the essential terms necessary to understand SELinux concepts and functions.
| Subject | A subject is a user or process that accesses an object. |
| Object | An object is a resource that the subject accesses. |
| Access | An access is an action the subject performs on an object. |
| Policy | A policy defines the actions the subject can perform on the object. |
| Context | A context stores security attributes for subjects and objects. |
| Labeling | Labeling is a process of mapping subjects and objects with their contexts. |
Role
A role is an attribute. It defines who (subject) can access what (domains or types). SELinux authorizes users for roles, and roles authorizes domains and types. Each subject has an associated role to ensure that the system and user processes are separated. A subject can transition into a new role to gain access to other domains and types.
Type
A type is a group of objects based on uniformity in their security needs. SELinux groups files and directories with similar security requirements in the same type.Domain
A domain specifies the type of access that a process has. SELinux groups processes with similar security requirements within a specific domain type and runs them in a confined manner within that domain.
Access Vector Cache (AVC)
SELinux uses an Access Vector Cache (AVC) to improve performance. When a subject makes an access request for an object, SELinux checks its policy and, based on it, allows or denies the request. SELinux saves this access decision in AVC. If the same subject makes the same access request, SELinux uses AVC to make its decision. It checks SELinux policy only when the action is not available in AVC.
SELinux Users
SELinux users are predefined user accounts in the SELinux database. SELinux authorizes each SELinux user account for specific tasks. A SELinux user account can perform only the delegated tasks, nothing extra. SELinux users are different from standard Linux users. If implemented, Linux maps standard users to SELinux users. After that, standard users can perform only the actions authorized for the mapped SELinux users. For example, the default file permission allows a user to create new files in their home directory and the root partition. If we map it to a SELinux user account that is authorized to create files only in its home directory, the user cannot create files in the root partition, even if he has permission to do so.
Standard Linux users
- Each user has a unique identity.
- We can track and monitor each user account separately.
- These user accounts have login capability. We use them to access the local system.
- We create, delete, and manage these accounts as per our requirements.
SELinux users
- SELinux users are role-based.
- They are pre-created. We cannot create or delete them.
- We can not use these accounts directly. These accounts do not have login capability.
- Unless we map an SELinux user to a standard Linux user, it cannot perform any actions.
- After mapping, it allows the linked user to perform only the authorized actions.
- We can map a SELinux user with multiple standard Linux users.
Viewing SELinux users
The seinfo command with the -u option lists all SELinux users.
#seinfo -u
To view the mapping between Linux and SELinux users, use the following command.
#semange login -l
The seinfo and semanage commands are part of the setools-console package. You must install this package to use these commands.
The setools-console package
SELinux management is complex. The setools-console package simplifies it. It provides commands for all essential SELinux management tasks. However, it is not part of the default SELinux installation. We must install it before we use it. The following command installs it.
#dnf install setools-console
Viewing SELinux contexts
Each SELinux context consists of a subject, an object, a type or domain, and a security level. The -Z option shows SELinux contexts. Use it with the id command to view SELinux contexts for user accounts. For example, the following command shows SELinux contexts for the current user account.
#id -Z
Use the -Z option with the ls command to view the SELinux contexts of the files and directories.
#ls -Z
To view the SELinux contexts of running processes, use it with the ps command.
#ps -eZ
Managing SELinux contexts for files
If implemented, SELinux labels all files, processes, and users with contexts. When a user or process accesses a file, it finds the file's type in the allowed file type contexts of the user or process. If the user or process is authorized to access this file type, SELinux lets it access the file. If not, it denies the access request. Since it works over the standard file permissions, no matter what file permissions the user or process has, it cannot access the file. SELinux assigns contexts to a new file from its parent directory.
- If we copy the file to a new directory, the copied file receives its context from the destination directory.
- If the destination directory already has a file with the same name and we overwrite it, the new file gets the contexts of the existing file.
- If we move the file to a new directory, the moved file retains its context.
- If we archive the file with the tar utility, its context is removed.
- If we extract an archive, the extracted files get their context from the directory in which they are extracted.
- The --preserve=context option preserves the context. If we use it with copy operation, the copied file retains its original context. If we use it with the tar command, it keeps the existing context.
"This Content Sponsored by SBO Digital Marketing.
Mobile-Based Part-Time Job Opportunity by SBO!
Earn money online by doing simple content publishing and sharing tasks. Here's how:
- Job Type: Mobile-based part-time work
- Work Involves:
- Content publishing
- Content sharing on social media
- Time Required: As little as 1 hour a day
- Earnings: ₹300 or more daily
- Requirements:
- Active Facebook and Instagram account
- Basic knowledge of using mobile and social media
For more details:
WhatsApp your Name and Qualification to 7338068894
a.Online Part Time Jobs from Home
b.Work from Home Jobs Without Investment
c.Freelance Jobs Online for Students
d.Mobile Based Online Jobs
e.Daily Payment Online Jobs
Keyword & Tag: #OnlinePartTimeJob #WorkFromHome #EarnMoneyOnline #PartTimeJob #jobs #jobalerts #withoutinvestmentjob"
No comments:
Post a Comment