Scribd Logo
Upload

Welcome to Scribd!

  • Document 1

    Uploaded by

    malik zada
    17 views4 pages
    SELinux is a Linux security module that implements mandatory access control (MAC). It adds mandatory access control rules to the Linux kernel to securely isolate processes even if a process is compromised. SELinux defines subjects (processes) and objects (files, directories, devices) and uses security contexts containing security labels to control access between them based on fixed policy rules. This helps reduce the impact of attacks by limiting what compromised processes can access. SELinux can operate in enforcing, permissive, or disabled mode.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SELinux is a Linux security module that implements mandatory access control (MAC). It adds mandatory access control rules to the Linux kernel to securely isolate processes even if a process is compromised. SELinux defines subjects (processes) and objects (files, directories, devices) and uses security contexts containing security labels to control access between them based on fixed policy rules. This helps reduce the impact of attacks by limiting what compromised processes can access. SELinux can operate in enforcing, permissive, or disabled mode.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views4 pages

    Document 1

    Uploaded by

    malik zada
    SELinux is a Linux security module that implements mandatory access control (MAC). It adds mandatory access control rules to the Linux kernel to securely isolate processes even if a process is compromised. SELinux defines subjects (processes) and objects (files, directories, devices) and uses security contexts containing security labels to control access between them based on fixed policy rules. This helps reduce the impact of attacks by limiting what compromised processes can access. SELinux can operate in enforcing, permissive, or disabled mode.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    SELINUX

    discretionary access control ==========>permissions are set usually by the resource owner.

    its desicion base on user identity , ownership and group id .

    mandatory access control ===========>permissions are set by fixed rules based on policies and cannot be overridden
    by users

    it use when using linux in enforcing mode

    if malik wnt to access root file first discretionary access control if they allow then selinux is checked

    Selinux ===========>is linux security module that built into the linux kernal . when security relavent access

    is taking place such as process attempt to open a file the operation is intercepted in kernal by selinux

    if selinux rule allow operation it continue otherwise operation block and process receive error

    it add mandatory access control to kernal and execute the untrustworthy application safely .

    in selinux files, directory , devices called objts

    processes such as user runnig command and application calleld subjcts .

    discretionary access control system control how subject interact with object and how subject with each other.

    in this user control the permission of objects .

    Selinux Context =========>The context contains additional information about a system object: the SELinux user, their
    role, their type, and the security level.

    SELinux uses this context information to control access by processes, Linux users, and files

    Benefits .....

    all processes and file labelled with type . a type define domain for processes and type for file

    processes are seprataed from each other by running in their own domain . selinux define khow processes

    intercat with each other as well as files

    selinux administrater k through define ki ja skti , system vise pr enforce ki ja skti hy .

    reduce escalation attack . if process compromised then attcker just acces to process normal funcation and

    and to file the process has been configured to have access .


    ................

    however selinux is not a .............>>

    antivirus software

    it is not a replacment of password , firewall , and other security

    not a all in one security solution

    ................

    selinux is deigned to enhance the existing security solution not replace them .

    default acces is deny .if selinux policy rule does not exist to allow access suach as process

    to opening a file access is denied .

    some confined and unconfined user exist in selinux policy .

    selinux limit damage if you make mistake in system configuration

    ///////////////////////

    Access vector cache

    selinux desicion such as allowing and disallowing access is cache called Access vector cache .

    when cached desicion use selinux check rule need to be cehcked less .

    .....................

    Selinux Three modes

    Enforcing =============> selinux policy is enforced , selinux denies access based on selinux policy rule

    var/log/audit.log =====> store log if they allow or they deny .

    Permissive =============>selinux policy is not enforced . selinux does not deny access but ye log kr ly ga un ko

    jo deny ho jany thy agr enforcing mode open hota .

    Disabled ==========> selinux is disabled only the Dac rule is applied .

    ........................

    configuration file is ===========> /etc/selinux/config

    setenforcing 0 ============> set selinux in permissive mode temporary

    setenforcing 1 ==========> set selinux in enforcing mode temporary .

    getenforcing ==============> show selinux enforcing mode .


    .autorelabel ==================> reset the existing defined selinux context and default selinux context

    is applied when system reboot .

    3 selinux types

    ===>Targeted ......> it is default policy in selinux

    two mode in targeted policy

    ====> Confined (mean access during domain).....> targeted processses started .this is for services that listen on
    network

    and processes run as root such as passwd utility .

    ======>unconfined (means access to all domain ) -----> system processes during init. and logged-in users.

    ====>minimum

    =====>mls

    sestat =====> show selinux info

    chcon -t type_name dir/file_location ======> chnage selinux temporary

    restorecon sservice_name/file_name/dir_name ===========> to restore the selinux context js k name bhi dy gy .

    semanage boolean -l ======> show all boleans in selinux bolean is liye agr ap ik service ko do type ki selinux

    context allow krna chaty ho

    semanage fcontext -a -t type_name file/dir/service_name

    semanage login -l =============> show local user mapping with selinux user

    seinfo -u ===========> show selinux users

    seinfo -r ============> show rule for user

    setboolean ===> executable writeable memory chunks use for changing in selinux policy for confined users.

    semanage boolean -l ========> show all boolean

    confined user ko access dani ho kesi service pr tu us ki boolean value ko on kr dy gy .

    setsebool -P bolean_name on ========> change the boolean value permanent

    You might also like