From Fedora Project Wiki
Line 39: Line 39:
* Type Enforcement (TE): fine-grained access control. MAC allow/disallow actions are checked after DAC permissions. All Files are labeled with a type. Access is only granted if it is specifically defined - the default action is to deny access. This prevents subjects (processes), such as Samba and FTP, from accessing files they should not have access to, for example, files in user home directories.
* Type Enforcement (TE): fine-grained access control. MAC allow/disallow actions are checked after DAC permissions. All Files are labeled with a type. Access is only granted if it is specifically defined - the default action is to deny access. This prevents subjects (processes), such as Samba and FTP, from accessing files they should not have access to, for example, files in user home directories.


* Fine-grained access control: Type Enforcement allows for fine-grained access control. For example, the Apache HTTP server can only access files that are labeled with the <code>httpd_sys_content_t</code> type, and not files that are labeled with the <code>user_home_t</code>, which is the type used for files in user home directories.
* Fine-grained access control: Type Enforcement allows for fine-grained access control. For example, the Apache HTTP server can only access files that are labeled with the <code>httpd_sys_content_t</code> type, and not files that are labeled with the <code>user_home_t</code> type, which is the type used for files in user home directories.


* Preventation against privilege escalation: subjects run in restricted domains. For a process, the type attribute defines which domain the process runs in. By default, a subject running in one domain can not access another domain. If a Web server is running in a protected domain, and that Web server is compromised, an attacker can only access files that the Web server has access to. SELinux also provides confined user types. Depending on the type selected, this can prevent: the use of X windows, executing files in home directories, network access, executing binaries that have the set user ID bit set, and so on.
* Preventation against privilege escalation: subjects run in restricted domains. For a process, the type attribute defines which domain the process runs in. By default, a subject running in one domain can not access another domain. If a Web server is running in a protected domain, and that Web server is compromised, an attacker can only access files that the Web server has access to. SELinux also provides confined user types. Depending on the type selected, this can prevent: the use of X windows, executing files in home directories, network access, executing binaries that have the set user ID bit set, and so on.

Revision as of 08:06, 28 July 2008

Content Specification

Security-Enhanced Linux Preface

On Linux operating systems, everything is represented as a file. For example, a hard disk can be represented as the /dev/hda file, and processes, such as Mozilla Firefox, are represented as files in the proc file system (/proc). These files are called objects. Linux operating systems use a Discretionary Access Control (DAC) system, that defines access to these objects. Users have access to change permissions for files and directories that they own. They could, for example, make their home directory world-readable, potentially allowing access to privileged information from other users, or giving processes, such as a Web server, access to serve these files.

Security-Enhanced Linux (SELinux) provides a Mandatory Access Control (MAC) system for Linux operating systems. MAC restricts the control users have over the files and directories that they create. SELinux allows files, and therefore everything on a Linux system, to be labeled. [talk about classes and permissions]

SELinux Terminology

The order of the items in this section was taken from <http://gentoo-wiki.com/HOWTO_Understand_SELinux>.

The following terms are used throughout this guide:

  • Object:
  • Subject:
  • Label or security context:
  • SELinux user identity:
  • Role:
  • Type:
  • Domain:
  • Access Vector Cache (AVC):
  • Targeted Policy

What SELinux Can Do

With SELinux, processes (subjects), such as the Apache HTTP server, run in a restricted domain. Files (objects) are labeled with a type. This type is used by Type Enforcement, which is used by MAC. SELinux policy defines the interaction subjects have with objects. This means that if the Apache HTTP server is compromised, the attacker only has access to files labeled with the correct type. Each file is labeled with an SELinux user identify, a role, and a type: selinux-user-identity:role:type.

SELinux offers:

  • Type Enforcement (TE): fine-grained access control. MAC allow/disallow actions are checked after DAC permissions. All Files are labeled with a type. Access is only granted if it is specifically defined - the default action is to deny access. This prevents subjects (processes), such as Samba and FTP, from accessing files they should not have access to, for example, files in user home directories.
  • Fine-grained access control: Type Enforcement allows for fine-grained access control. For example, the Apache HTTP server can only access files that are labeled with the httpd_sys_content_t type, and not files that are labeled with the user_home_t type, which is the type used for files in user home directories.
  • Preventation against privilege escalation: subjects run in restricted domains. For a process, the type attribute defines which domain the process runs in. By default, a subject running in one domain can not access another domain. If a Web server is running in a protected domain, and that Web server is compromised, an attacker can only access files that the Web server has access to. SELinux also provides confined user types. Depending on the type selected, this can prevent: the use of X windows, executing files in home directories, network access, executing binaries that have the set user ID bit set, and so on.
  • Role Based Access Control (RBAC): every object (files, sockets, and so on) and subject (processes) is labeled with an SELinux user identity, a role, and a type. For a subject, the type defines the restricted domain the process runs in. The role attribute defines which SELinux user identities can access which domains.
  • Logging: