لطفا منتظر باشید ...
1.2 SELinux Features
SELinux is a software product that
includes several mechanisms that protect against attacks exploiting
software vulnerabilities, including attacks on 0-day vulnerabilities.
In particular, SELinux implements role-based access control and
sandboxing.SELinux also provides a logging and audit facility that records
attempts to exceed specified permissions. By monitoring the system
log, the administrator of an SELinux system can often discover
attempts to escalate privileges and take action to prevent an
intruder or insider from interfering with operation of the system.SELinux is designed to protect against misuse and unauthorized use
such as:Unauthorized reading of data and programsUnauthorized modification of data and programsBypassing application security mechanismsInterfering with other processesPrivilege escalationInformation security breaches
1.2.1 How SELinux Works
Figure 1-1 depicts the operation of SELinux in a
highly simplified fashion. SELinux works by associating each program
or process with a sandbox known as a domain. Each domain is assigned
a set of permissions sufficient to enable it to function properly but
do nothing else. For instance, a domain is limited in the files it
can access and the types of operations it can perform on those files.
To enable specification of such permissions, each file is labeled
with information called a security context.
The definition of a domain spells out what operations it can perform
on files having specific security contexts. A domain cannot access
files having security contexts other than those for which it is
explicitly granted access.
Figure 1-1. The operation of SELinux
its current domain and transitions to a new
domain. Typically,
transitions occur upon executing a program
designated as an entry point to the new domain. The new domain may
have more or fewer privileges than the original domain. Thus,
programs can initiate other programs having more or fewer privileges
than themselves.An SELinux facility known as type enforcement
(TE) ensures that the rules governing domains are always observed.
SELinux also has a secondary facility known as
role-based
access control (RBAC). RBAC limits user access to
domains. For instance, some domains are defined to be accessible only
to the system administrator, whereas other domains are defined to be
publicly available to any user.An exciting aspect of SELinux is that the definitions of domains,
security contexts, and transitions appear in files
called
policy files that can be modified by the SELinux
system administrator. Thus, SELinux security policies are extremely
flexible and can support a wide range of security needs. For
instance, suppose that you want to install a program that neither you
nor anyone you know has previously run under SELinux. Therefore, no
policy specifying the operations that the program should and should
not be allowed to perform exists. Nevertheless, you can create such a
policy and enjoy the benefits of running the program in a manner
consistent with the principle of least privilege.
1.2.2 SELinux Components and Linux Security Modules (LSM)
SELinux was originally implemented as a set of Linux
kernel modules that worked with the
Linux 2.2 kernel. SELinux has since been updated to work with Linux
2.4. SELinux can also work with the
Linux Security Modules (LSM) feature of
the Linux 2.6 kernel.LSM consists of a set of hooks inserted into the Linux kernel. These
hooks provide the means to notify a software unit, such as SELinux,
whenever a process attempts to perform an operation on an object,
such as opening a file for read access or deleting a file. LSM also
provides a means whereby the software unit can prohibit the attempted
access, making it straightforward for software developers to
implement a security engine that oversees access to files and other
objects, such as that used in SELinux.In addition to kernel modules, SELinux includes a set of system
administration programs that have been modified to be aware of the
SELinux environment, and a set of programs used to administer SELinux
itself. SELinux also includes a policy, implemented as a set of
files, that defines users and roles and their permissions.
SELinux and User-Mode Linux (UML)
User-Mode Linux is an open source product
that enables a single host to run multiple, sandboxed instances of
the Linux kernel, referred to as virtual
machines. UML's function is roughly
comparable to that of commercial virtualization products, such as
VMware and Microsoft's Virtual PC. However, UML
supports only Linux, whereas VMware and Virtual PC support a variety
of operating systems. Each virtual machine running under UML can run
programs and applications, maintain a distinct filesystem separate
from that of other virtual machines, and access the network. So if a
program or an entire instance of a running kernel is compromised, the
other programs and kernel instances may not be affected.SELinux includes a set of policies that are intended to strengthen
the UML sandbox and thereby improve system security and integrity.
Using SELinux, you can make it less likely that a wayward application
or a successful attack compromising one virtual machine will lead to
the subversion or failure of other virtual machines. You can learn
more about User-Mode Linux at http://user-mode-linux.sourceforge.net.
Alternatives to SELinux
An alternative product providing functions
generally similar to those of SELinux is
GRSecurity,
described at http://grsecurity.org. Like SELinux, GR
Security is supported only for Linux 2.x.Developers of open source operating systems other than Linux are
implementing products similar to SELinux. For example, the BSD
community is creating
TrustedBSD. To
learn more about TrustedBSD, see its web site, http://www.trustedbsd.org.
