Concepts Basic security models >TE >RBAC 术 >MLS 1958 *Basic elements Subjects process that are requesting access to an object >Objects items in a system that are acted upon(files,IPC,sockets,etc....) >Actions nce and 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
Concepts ❖Basic security models ➢TE ➢RBAC ➢MLS ❖Basic elements ➢Subjects ⚫process that are requesting access to an object ➢Objects ⚫items in a system that are acted upon (files, IPC, sockets, etc….) ➢Actions
SELinux中对上述几种安全模型的实现 All Objects and Subjects contain a security context >Security Context(s)are composed of four parts 观察linux-2.6.26 security\selinux\ss\context.h中关 于安全上下文的定义 00022: 米 00023: A security context consists of an authenticated user 00024: identity,a role,a type and a MLS range. 00025: 00026: struct context{ 00027: u32 user; 00028: u32 role; 00029: u32 type; 00030: struct mls_range range; 00031: }; 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
SELinux中对上述几种安全模型的实现 ❖All Objects and Subjects contain a security context ➢Security Context(s) are composed of four parts ❖观察linux-2.6.26\security\selinux\ss\context.h中关 于安全上下文的定义
Security context,安全上下文 Three security attribute User identity:与主体或客体相关联的用户id >对一个主体,即进程而言,代表了该进程运行所处的 账户上下文 >对一个客体,表明该客体的拥有者 >注意:与Liux自主访问控制中的UID,是不同的两套 概念 Role Type 0 fScience and Techno○ 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
Security context,安全上下文 Three security attribute ❖User identity:与主体或客体相关联的用户id ➢对一个主体,即进程而言,代表了该进程运行所处的 账户上下文 ➢对一个客体,表明该客体的拥有者 ➢注意:与Linux自主访问控制中的UID,是不同的两套 概念 ❖Role ❖Type
Role a set of permission a user can be granted >在任意时刻,用户只能处于一个角色 >newrole命令:使用户从一个角色切换到另一个角色 ●类似linux中的su命令 >4种标准角色 ●staff r Used for users permitted to enter the sysadm r role ●sysadm r Used for the system administrator ●system_r Used for system processes and objects ●user r Used for ordinary users dummy role for object that have no other need of a role ●object r Cience and Techil 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
❖Role:a set of permission a user can be granted ➢在任意时刻,用户只能处于一个角色 ➢newrole命令:使用户从一个角色切换到另一个角色 ⚫类似linux中的su命令 ➢4种标准角色: ⚫staff_r Used for users permitted to enter the sysadm_r role ⚫sysadm_r Used for the system administrator ⚫system_r Used for system processes and objects ⚫user_r Used for ordinary users ➢dummy role for object that have no other need of a role ⚫object_r
Type TE给每个主体和系统中的客体定义了一个类型 当一个类型与进程关联时,其type也称为domain Type用来将主体和客体划分为不同的组 >例如sysadm t 1958 冬安全上下文的格式 user:role:type ?系统中每个文件/目录/网络端口等都被指定一个安全上 下文,安全策略则给出各安全上下文之间的作用规则 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
❖ Type TE给每个主体和系统中的客体定义了一个类型 当一个类型与进程关联时,其type也称为domain ❖ Type用来将主体和客体划分为不同的组 ➢ 例如sysadm_t ❖ 安全上下文的格式 user:role:type ❖ 系统中每个文件/目录/网络端口等都被指定一个安全上 下文,安全策略则给出各安全上下文之间的作用规则