Linux Security Technology

1868 Words8 Pages
|Linux Security Technology | |

1. SELinux SELinux, an implementation of Mandatory Access Control (MAC) in the Linux kernel, adds the ability to administratively define policies on all subjects (processes) and objects (devices, files, and signaled processes). This mechanism is in the Linux kernel, checking for allowed operations after standard Linux Discretionary Access Controls DAC are checked. Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux
…show more content…
More complex mappings are also possible, involving roles and security levels. A typical policy consists of a mapping (labeling) file, a rule file, and an interface file, that define the domain transition. These three files must be compiled together with the SELinux tools to produce a single policy file. The resulting policy file can be loaded into the kernel, making it active. Loading and unloading policies does not require a reboot. The policy files are either hand written or can be generated from the more user friendly SELinux management tool. They are normally tested in permissive mode first, where violations are logged but allowed. The audit2allow tool can be used later to produce additional rules that extend the policy to allow all legitimate activities of the application being confined. The Security-enhanced Linux's new features are designed to enforce the separation of information based on confidentiality and integrity requirements. They are designed for preventing processes from reading data and programs, tampering with data and programs, bypassing application security mechanisms, executing untrustworthy programs, or interfering with other processes in violation of the system security policy. They also help to confine the potential damage that can be caused by malicious or flawed programs. They should also be useful for enabling a single system to be used by users with differing
Get Access