Java程序辅导

C C++ Java Python Processing编程在线培训 程序编写 软件开发 视频讲解

客服在线QQ:2653320439 微信:ittutor Email:itutor@qq.com
wx: cjtutor
QQ: 2653320439 
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 1
SELinux Policy 
Concepts and Overview
Security Policy Development Primer 
for Security Enhanced Linux 
(Module 3)
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 2
ƒ SELinux assigns subject and objects a 
security context:
Access Control Attributes
root:sysadm_r:sysadm_t[:s0:c0.c128]
type identifier
role identifier
user identifier
ƒ Security context is only access control attribute in SELinux
ƒ Security Identifier (SID): number represents security context 
active within the kernel
mls identifier
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 3
Standard Linux vs SELinux
ƒ Subject (Process) Access Control Attributes
ƒ Linux: real and effective user and group IDs
ƒ SELinux: security context (user:role:type)
Î Linux UIDs and SELinux UID are independent
ƒ Objects Access Control Attributes
ƒ Linux: (files) access modes (rwx r-x r-x) and user and 
group IDs
ƒ SELinux: security context (user:role:type)
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 4
More on Security Contexts
ƒ Linux and SELinux access controls are orthogonal
ƒ each mechanism uses its own access control attributes
ƒ two separate access checks; both must pass
ƒ A process type is also called a “domain”
ƒ though object and subject contexts are identical
ƒ Role and user are little used on objects
ƒ objects’ role usually “object_r”
ƒ Type is most used part of a context (by far) in policies
ƒ emphasis on type enforcement in a policy
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 5
What is a Type?
ƒ A type is an unambiguous identifier
ƒ created by the policy writer
ƒ applied to all subjects and objects and for access decisions
ƒ Types group subjects and objects
ƒ signifies security equivalence
ƒ everything with the same type has the same access
ƒ policies have as few or as many types as needed
ƒ Type “meaning” created through use
ƒ e.g. shadow_t only has meaning because of a policy rules
ƒ similar to a programmer giving meaning to variables
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 6
Type Enforcement Access Control
ƒ Access specified between
ƒ subject type (e.g., process or domain)
ƒ and object type (e.g., file, dir, socket, etc.)
ƒ Four elements in defining allowed access
ƒ source type(s) aka domain(s)
ƒ target type(s)    objects to which access allowed
ƒ object class(es) classes to which access applies
ƒ permission(s) type of access allowed
ƒ SELinux prevents access unless explicitly allowed
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 7
ƒ SELinux defines 41 kernel object classes
ƒ Each with their own fine-grained permissions
ƒ For example, file object class has 20 permissions:
ioctl read write
create getattr setattr
lock relabelfrom relabelto 
append unlink link  
rename execute swapon
quotaon mounton execute_no_trans
entrypoint execmod
ƒ Documentation available at www.tresys.com/selinux
Object Classes and Permissions
key_socket
unix_stream_socketrawip_socketnetlink_nflog_socketipc
unix_dgram_socketprocessnetlink_kobject_uevent_socketfilesystem
udp_socketpasswdnetlink_ip6fw_socketfile
tcp_socketpacket_socketnetlink_firewall_socketfifo_file
systemnodenetlink_dnrt_socketfd
socketnetlink_xfrm_socketnetlink_audit_socketdir
sock_filenetlink_tcpdiag_socketnetifchr_file
shmnetlink_socketmsgqcapability
semnetlink_selinux_socketmsgblk_file
securitynetlink_route_socketlnk_fileassociation
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 8
passwd Program Example
allow  passwd_t shadow_t :  file
{ create ioctl read getattr lock write setattr append link unlink rename };
ƒ Allows processes with passwd_t domain type read, write, and create access to 
files with shadow_t type
ƒ Purpose: passwd program runs with passwd_t type, allowing it to change shadow 
password file (/etc/shadow)
ƒ Shadow password file attributes:
-r-------- root  root   system_u:object_r:shadow_t /etc/shadow
standard Linux SELinux
only root allowed to 
create new copies of file
only allows passwd_t
domain (via above allow 
rule) to modify file
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 9
passwd Program Example
euid: root 
passwd_t
passwd
r-------- root root
shadow_t
/etc/shadow
write, create, …
(change password)
allow  passwd_t  shadow_t :  file  
{  read getattr write setattr append };
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 10
Problem of Domain Transitions
euid: root 
passwd_t
passwd
r-------- root root
shadow_t
/etc/shadow
write, create, …
(change password)
uid:joe
euid: joe 
user_t
login
bash
allow  passwd_t  shadow_t :  file  
{  read getattr write setattr append };
write,…
?
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 11
Standard Linux passwd Security
uid: joe
euid: joe 
r-------- root root
/etc/shadow
uid: joe
euid: joe 
login
bash r-s--x--x root root
/usr/bin/passwd
fork()
execve()
bash passwd
Anyone can 
execute
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 12
Standard Linux passwd Security
uid: joe
euid: joe
r-------- root root
/etc/shadow
write, create, …
(change password)
uid: joe
euid: joe 
login
bash r-s--x--x root root
/usr/bin/passwd
fork()
execve()
passwd
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 13
Standard Linux passwd Security
uid: joe
euid: joe 
r-------- root root
/etc/shadow
uid: joe
euid: joe 
login
bash r-s--x--x root root
/usr/bin/passwd
fork()
set uid
bash
execve()
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 14
Standard Linux passwd Security
uid: joe
euid: root
r-------- root root
/etc/shadow
uid: joe
euid: joe 
login
bash r-s--x--x root root
/usr/bin/passwd
fork()
passwd
set uid
write, create, …
(change password)
execve()
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 15
SELinux Domain Transitions
uid: joe
euid: joe 
r-------- root root
/etc/shadow
uid: joe
euid: joe 
login
bash r-s--x--x root root
/usr/bin/passwd
fork() bash
shadow_tuser_t
user_t
passwd_exec_t
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 16
SELinux Domain Transitions
uid: joe
euid: joe 
r-------- root root
/etc/shadow
uid: joe
euid: joe 
login
bash r-s--x--x root root
/usr/bin/passwd
fork() bash
shadow_tuser_t
user_t
passwd_exec_t
execve()
allow user_t passwd_exec_t : file { getattr execute };
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 17
SELinux Domain Transitions
uid: joe
euid: root
r-------- root root
/etc/shadow
uid: joe
euid: joe 
login
bash r-s--x--x root root
/usr/bin/passwd
fork()
shadow_tuser_t
passwd_t
passwd_exec_t
execve()
type_transition user_t passwd_exec_t : process passwd_t;
allow user_t  passwd_exec_t : file { getattr execute };
write, create, …
(change password)
passwd
allow user_t passwd_t : process transition;
allow passwd_t passwd_exec_t : file entrypoint;
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 18
Type Transition Statement
ƒ First form: default domain transition
ƒ Causes a domain type transition to be attempted on 
execve()
type_transition user_t passwd_exec_t : process passwd_t;
object 
(process for 
domain trans)
source
domain
file type of
executable
new type
for process
passwd_t passwd_exec_t
execve()
user_t
1
2
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 19
Type Transition Statement
ƒ type_transition specifies default transition
ƒ Does NOT allow it!
ƒ Successful domain trans. requires access allowed
ƒ original domain execute access to executable file
ƒ original domain permission to transition to new domain
ƒ new domain permission to be entered via program
ƒ others...
ƒ Second form: default object types on creation 
ƒ to be discussed in later modules
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 20
The Role of Roles
ƒ Roles associates domains with users
ƒ further constrains process type transitions
ƒ process type allowed only if allowed by role definition
ƒ even if type enforcement allows it
ƒ Role declaration statement
role user_r types passwd_t;
allowed 
type
role for which type 
is allowed
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 21
Roles in Domain Transitions
r-------- root root
/etc/shadow
login
bash r-s--x--x root root
/usr/bin/passwd
fork()
shadow_t
user_r:user_t
user_r:passwd_t
passwd_exec_t
execve()
write, setattr, …
(change password)
role user_r types passwd_t;
passwd
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 22
Why Type Enforcement
ƒ Extremely configurable mandatory access control
ƒ flexible (not tied to a single security objective)
ƒ dynamic (loadable/conditional policy)
ƒ possible to be pragmatic within a policy
ƒ even necessary due to Linux legacy!
ƒ fine-grained access control
ƒ object classes and permissions, unlimited types and rules
ƒ Useful for a large number of security goals and 
objectives
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 23
Security Goals TE can Implement
ƒ System integrity, RVM/kernel self-protection
ƒ raw devices and resources
ƒ kernel configuration and binary files (e.g., modules)
ƒ daemon/services configuration and binary files
ƒ protection of SELinux policy itself
ƒ Application integrity
ƒ configuration and binary files
ƒ inter-process communication
ƒ Least privilege
ƒ preventive security engineering design
ƒ protection of privileged user environments
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 24
Security Goals TE can Implement
ƒ Controlled execution domains
ƒ isolation of untrusted code (e.g., sandboxes)
ƒ prevention of malicious code in trusted domains
ƒ System Hardening
ƒ confinement of error propagation (exploitations)
ƒ fine-grained access control
ƒ Domain isolation
ƒ trusted from untrusted
ƒ application from application
ƒ Information flow policies
ƒ Multilevel security and multiple security levels
ƒ Guards and other cross-domain solutions
ƒ Perimeter defense
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 25
Challenges with SELinux TE
ƒ Policies are usually complex
ƒ Due to complexity of Linux kernel
ƒ legacy issues with Linux/Unix
ƒ need for Pragmatism
ƒ Flexibility comes with a price!
ƒ 41 kernel object classes, hundreds of permissions
ƒ thousands of object instances
ƒ unlimited domain and object types
ƒ Assurance of mechanism evolving
ƒ open source model helps
ƒ certainly no worse than  Linux (or other mainstream OSs)
ƒ in fact much better with a good TE policy
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 26
Policy Concept Overview Summary
ƒ Standard Linux and SELinux access control 
mechanisms are orthogonal
ƒ SELinux security context: user:role:type
ƒ applied to both objects and subjects
ƒ type is the primary means of controlling access
ƒ Fine grained access control
ƒ 41 kernel object classes, hundreds of permissions
ƒ Access must be explicitly allowed in TE policy
ƒ all access denied by default
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 27
Policy Concept Overview Summary
ƒ TE allow statement: 
allow domain_type object_type: classes permission ;
ƒ specifies allowed access based on types
ƒ TE domain transition:
ƒ changing of process type (domain) on execve()
ƒ type_transition specifies default transition
ƒ Type enforcement flexible
ƒ can implement many security properties
ƒ Roles further constrain domain transitions
© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 28
QUESTIONS?