上下文linux格式化命令

安全操作系统中国科学技术大学计算机系陈香兰(0512-87161312)xlanchen@ustc.
edu.
cn助教:裴建国Autumn2008第八章国外知名安全操作系统介绍SE-Linux介绍EROS介绍IntroductiontoSE-LinuxReferenceBookSELinuxNSA'sOpenSourceSecurityEnhancedLinuxByBillMcCartyOctober2004Pages:254声明本部分内容参考了网上搜索到的多个pptDavidQuigley关于SELinux的ppt《SecurityEnhancedLinux》KenduestLee(小州)的《SELinux入门初探》主要内容DefinitionHistoryConceptsArchitectureSELinuxPolicyLanguageUserspace实现使用主要内容DefinitionHistoryConceptsArchitectureSELinuxPolicyLanguageUserspace实现使用Wikipediasays:Security-EnhancedLinux(SELinux)isaLinuxfeaturethatprovidesavarietyofsecuritypolicies,includingU.
S.
DepartmentofDefensestylemandatoryaccesscontrols,throughtheuseofLinuxSecurityModules(LSM)intheLinuxkernel.
ItisnotaLinuxdistribution,butratherasetofmodificationsthatcanbeappliedtoUnix-likeoperatingsystems,suchasLinuxandBSD.
…PrimarilydevelopedbytheUSNationalSecurityAgency…运行示意图主要内容DefinitionHistoryConceptsArchitectureSELinuxPolicyLanguageUserspace实现使用SELinuxTimeline1985:LOCK(earlyTypeEnforcement)1990:DTMach/DTOS1995:UtahFluke/Flask1999:2.
2LinuxKernel(patch)2000:2001:2.
4LinuxKernel(patch)2002:LSM2003:2.
6LinuxKernel(mainline)2006:FullnetworklabelingPresent主要内容DefinitionHistoryConceptsArchitectureSELinuxPolicyLanguageUserspace实现使用ConceptsBasicsecuritymodelsTERBACMLSBasicelementsSubjectsprocessthatarerequestingaccesstoanobjectObjectsitemsinasystemthatareactedupon(files,IPC,sockets,etc….
)ActionsSELinux中对上述几种安全模型的实现AllObjectsandSubjectscontainasecuritycontextSecurityContext(s)arecomposedoffourparts观察linux-2.
6.
26\security\selinux\ss\context.
h中关于安全上下文的定义Securitycontext,安全上下文ThreesecurityattributeUseridentity:与主体或客体相关联的用户id对一个主体,即进程而言,代表了该进程运行所处的账户上下文对一个客体,表明该客体的拥有者注意:与Linux自主访问控制中的UID,是不同的两套概念RoleTypeRole:asetofpermissionausercanbegranted在任意时刻,用户只能处于一个角色newrole命令:使用户从一个角色切换到另一个角色类似linux中的su命令4种标准角色:staff_rUsedforuserspermittedtoenterthesysadm_rrolesysadm_rUsedforthesystemadministratorsystem_rUsedforsystemprocessesandobjectsuser_rUsedforordinaryusersdummyroleforobjectthathavenootherneedofaroleobject_rTypeTE给每个主体和系统中的客体定义了一个类型当一个类型与进程关联时,其type也称为domainType用来将主体和客体划分为不同的组例如sysadm_t安全上下文的格式user:role:type系统中每个文件/目录/网络端口等都被指定一个安全上下文,安全策略则给出各安全上下文之间的作用规则在selinux中查看用户的安全上下文在selinux中查看进程的安全上下文在selinux中查看文件的安全上下文AllSecurityContextcomponentsarecheckedagainstthepolicytoseeifaccessisallowed.
TypeisthebasecomponentwhileroleanduserareusedtofurtherrestricttypeenforcementuserroleDomaintypeobjecttype用户、角色、域类型与客体类型的关系图安全标识符SID与安全上文对应系统启动时,这个数据结构将被装载initialSIDs理解:安全上下文,被保存在某种数据结构中,例如表格,使用SID可以在这个数据结构中找到对应的安全上下文对象的生命期根据生命期的不同,linux中的对象分成2种transientobjectsandpersistentobjectstransientobjects通常是一些内核数据结构,例如:进程SELinux使用memory-residenttable进行SID和安全上下文的映射关系persistentobjects例如文件、目录SELinux利用文件系统来存放永久安全描述符PSID例如,利用ext2/ext3的扩展属性在最初安装SELinux时,要为文件创建PSIDlabeling进程利用setfile进行Setfile根据一个称为filecontext的数据库进行Filecontext为一些特殊文件定义了初始安全上下文;为其他文件定义了缺省的安全上下文AccessDecisionsTheSELinuxsecurityservermakestwobasickindsofdecisions:AccessdecisionsTransitiondecisions,alsocalledlabelingdecisionsAccessdecisionsAccessvectorAbitmapassociatedwitheachobjectclassAsimplifiedaccessvectorforthefileclassMaketheaccessdecisionbyconsidering主体的安全上下文客体的安全上下文客体的安全类型Action返回:访问向量3个向量中,允许主体Append/create客体AsimplifiedaccessvectorresultingfromanaccessdecisionTransitiondecisionsFornewlycreatedobjectsProcess(subject)creationFile(object)creation主要内容DefinitionHistoryConceptsArchitectureSELinuxPolicyLanguageUserspace实现使用SELinuxArchitectureSELinuxconsistsofthefollowingmajorcomponents:Kernel-levelcodeTheSELinuxsharedlibrarylibselinux1.
soAsecuritypolicyFromabinarypolicyfile:/etc/security/selinuxToolsLabeledSELinuxfilesystems(optional)关于内核部分,采用了LSMKernelframeworkforsecuritymodulesProvidesasetofhookstoimplementfurthersecuritychecksUsuallyplacedafterexistingDACchecksandbeforeresourceaccessImplicationsSELinuxcheckisnotcallediftheDACfailsMakesauditingdifficultattimes.
SELinuxLSMModuleUserSpaceKernelSpaceSelinuxFilesystemAccessVectorCacheSecurityServer(PolicyRulesandAccessDecisionLogic)LSMHooksVariousKernelObjectManagersCacheMissYesorNoSELinuxLSMModulePolicyManagementInterfaceFiguretakenfromSELinuxbyExample关于用户态库:UserspaceObjectManagersAccessVectorCachelibselinuxUser-SpaceObjectManagerFiguretakenfromSELinuxbyExampleUserSpaceKernelSpaceSelinuxFilesystemPolicyManagementInterfaceAllowaccessYesorNoAccessVectorCacheSecurityServer(PolicyRulesandAccessDecisionLogic)CacheMissYesorNoPolicyServerAccessVectorCachelibselinuxUser-SpaceObjectManagerFiguretakenfromSELinuxbyExampleUserSpaceKernelSpaceSelinuxFilesystemPolicyManagementInterfaceCacheMissYesorNoUser-SpaceSecurityServerPolicyManagementServerLoadUserPolicyPolicyServerAccessVectorCacheSecurityServer(PolicyRulesandAccessDecisionLogic)CacheMissYesorNo关于策略和策略文件PolicyLanguageMake,Scripts,M4,andsoonTypeEnforcementStatements(Types,TERules,Roles,Users)ConstraintsResourcelabelingSpecificationsClassesandPermissionsCheckpolicyBinaryPolicyFileKernelSpaceSelinuxFilesystemAccessVectorCacheSecurityServer(PolicyRulesandAccessDecisionLogic)CacheMissYesorNoSELinuxLSMModuleload_policyPolicySourceModulespolicy.
confFiguretakenfromSELinuxbyExample关于SELinux的一些源文件theSELinuxsourcefilesareoffourmajortypesStandardsourcefilesthatareseldommodifiedbytheSELinuxadministratorSourcefilesthataretypicallymodifiedbytheSELinuxadministratorduringinitialconfigurationofSELinuxType-Enforcement(TE)sourcefilesFileContext(FC)sourcefilesSELinuxToolsSELinuxincludesthreemaincategoriesoftools:SpecialcommandsusedtoadministeranduseSELinuxModifiedversionsofstandardLinuxcommandsandprogramsSupplementarySELinuxtools,usedforpurposessuchaspolicyanalysisanddevelopmentSELinuxcommands例如chconcheckpolicygetenforce/setenforcenewrolerun_initsetfilesavc_enforcingavc_toggleModifiedLinuxcommandsandprograms例如cp,mv,install,andotherbasiccommandsidlspscronloginlogrotatepamsshvariousprogramsthatmodify/etc/passwdor/etc/shadowSupplementarySELinuxtools例如ApolSeAuditSeCmdsSePCuTSeUser主要内容DefinitionHistoryConceptsArchitectureSELinuxPolicyLanguageUserspace实现使用ObjectClassesRepresentsresourcesofacertainkindPolicymustincludedeclarationsforallobjectclassesClassesFilerelated(blk_file,chr_file,dir,fd…)Networkrelated(socket,packet_socket,rawip_socket,…)IPCrelated(ipc,msg,msgq,sem,shm)MiscClasses(capability,process,security,system)PermissionsSpecifictoaparticularObjectClassIncludestraditionalLinuxpermissionsExtendsexistingpermissionstobefinergrainedIncludesSELinuxspecificpermissionsforlabelingTypeEnforcementSeveralmajorkeywordstypeattributetypeattributetypealiasallowdontauditauditallowNeverallow类型的定义type[aliases][attributes];例#httpd_config_t是一个系统管理文件的类型typehttpd_config_t,file_type,sysadmfile;#httpd_port_t是保留的端口,端口号小于1024typehttp_port_t,port_type,reserved_port_type;TE访问向量规则(TEAccessVectorRules):av_kindallow表示允许主体对客体执行允许的操作.
neverallow表示不允许主体对客体执行指定的操作.
auditallow表示允许操作并记录访问决策信息.
dontaudit表示不记录违反规则的决策信息,且违反规则不影响运行.
例#允许域user_t对bin_t类型客体进行类别为file的read等操作allowuser_tbin_t:file{readgetattrlockexecuteioctlexecute_no_trans};#允许域user_t对它自己类型的客体进行process类别的所有操作allowuser_tself:process*;#允许域userdomain对shell_exec_t类型客体进行file类别的read等操作allowuserdomainshell_exec_t:file{readgetattrlockexecuteioctl};#不允许域passwd_t对非bin_t等类型的客体进行file类别的execute_no_trans操作neverallowpasswd_t~{bin_tsbin_tld_so_t}:fileexecute_no_trans;#不允许域domain对非domain类型的客体进行process类别的类型转移操作neverallowdomain~domain:processtransition;TE转移规则类型转移的语法如下:type_transition域转移语法如下:type_transition:\process创建一个新客体时创建一个新进程时例:域转移type_transitionhttpd_thttpd_sys_script_exec_t:process\httpd_sys_script_t;type_transitioninitrc_tsquid_exec_t:processsquid_t;当后台进程httpd以域httpd_t运行类型为httpd_sys_script_exec_t的文件,如:CGI脚本文件,新的进程(如:CGI脚本进程)将赋为httpd_sys_script_t域.