SEAndroid 공부 자료.

From Tresys.com


SELinux assigns subject and objects a


security context:

Access Control Attributes

root:sysadm_r:sysadm_t[:s0:c0.c128]

type identifier

role identifier

user identifier

􀂃 Security context is only access control attribute in SELinux

􀂃 Security Identifier (SID): number represents security context

active within the kernel     Standard Linux vs SELinux

􀂃 Subject (Process) Access Control Attributes

􀂃 Linux: real and effective user and group IDs

􀂃 SELinux: security context (user:role:type)

􀃎 Linux UIDs and SELinux UID are independent

􀂃 Objects Access Control Attributes

􀂃 Linux: (files) access modes (rwx r-x r-x) and user and

group IDs

􀂃 SELinux: security context (user:role:type)       More on Security Contexts

􀂃 Linux and SELinux access controls are orthogonal

􀂃 each mechanism uses its own access control attributes

􀂃 two separate access checks; both must pass

􀂃 A process type is also called a “domain”

􀂃 though object and subject contexts are identical

􀂃 Role and user are little used on objects

􀂃 objects’ role usually “object_r”

􀂃 Type is most used part of a context (by far) in policies

􀂃 emphasis on type enforcement in a policy     What is a Type?

􀂃 A type is an unambiguous identifier

􀂃 created by the policy writer

􀂃 applied to all subjects and objects and for access decisions

􀂃 Types group subjects and objects

􀂃 signifies security equivalence

􀂃 everything with the same type has the same access

􀂃 policies have as few or as many types as needed

􀂃 Type “meaning” created through use

􀂃 e.g. shadow_t only has meaning because of a policy rules

􀂃 similar to a programmer giving meaning to variables     Type Enforcement Access Control

􀂃 Access specified between

􀂃 subject type (e.g., process or domain)

􀂃 and object type (e.g., file, dir, socket, etc.)

􀂃 Four elements in defining allowed access

􀂃 source type(s) aka domain(s)

􀂃 target type(s) objects to which access allowed

􀂃 object class(es) classes to which access applies

􀂃 permission(s) type of access allowed

􀂃 SELinux prevents access unless explicitly allowed     ELinux defines 41 kernel object classes

􀂃 Each with their own fine-grained permissions

􀂃 For example, file object class has 20 permissions:

ioctl read write

create getattr setattr

lock relabelfrom relabelto

append unlink link

rename execute swapon

quotaon mounton execute_no_trans

entrypoint execmod

􀂃 Documentation available at www.tresys.com/selinux

Object Classes and Permissions

key_socket

ipc netlink_nflog_socket rawip_socket unix_stream_socket

filesystem netlink_kobject_uevent_socket process unix_dgram_socket

file netlink_ip6fw_socket passwd udp_socket

fifo_file netlink_firewall_socket packet_socket tcp_socket

fd netlink_dnrt_socket node system

dir netlink_audit_socket netlink_xfrm_socket socket

chr_file netif netlink_tcpdiag_socket sock_file

capability msgq netlink_socket shm

blk_file msg netlink_selinux_socket sem

association lnk_file netlink_route_socket security       allow passwd_t shadow_t : file

{ create ioctl read getattr lock write setattr append link unlink rename };

􀂃 Allows processes with passwd_t domain type read, write, and create access to

files with shadow_t type

􀂃 Purpose: passwd program runs with passwd_t type, allowing it to change shadow

password file (/etc/shadow)

􀂃 Shadow password file attributes:

-r-------- root root system_u:object_r:shadow_t /etc/shadow