Professional Documents
Culture Documents
discretionary access control ==========>permissions are set usually by the resource owner.
mandatory access control ===========>permissions are set by fixed rules based on policies and cannot be overridden
by users
if malik wnt to access root file first discretionary access control if they allow then selinux is checked
Selinux ===========>is linux security module that built into the linux kernal . when security relavent access
is taking place such as process attempt to open a file the operation is intercepted in kernal by selinux
if selinux rule allow operation it continue otherwise operation block and process receive error
it add mandatory access control to kernal and execute the untrustworthy application safely .
discretionary access control system control how subject interact with object and how subject with each other.
Selinux Context =========>The context contains additional information about a system object: the SELinux user, their
role, their type, and the security level.
SELinux uses this context information to control access by processes, Linux users, and files
Benefits .....
all processes and file labelled with type . a type define domain for processes and type for file
processes are seprataed from each other by running in their own domain . selinux define khow processes
reduce escalation attack . if process compromised then attcker just acces to process normal funcation and
antivirus software
................
selinux is deigned to enhance the existing security solution not replace them .
default acces is deny .if selinux policy rule does not exist to allow access suach as process
///////////////////////
selinux desicion such as allowing and disallowing access is cache called Access vector cache .
when cached desicion use selinux check rule need to be cehcked less .
.....................
Enforcing =============> selinux policy is enforced , selinux denies access based on selinux policy rule
Permissive =============>selinux policy is not enforced . selinux does not deny access but ye log kr ly ga un ko
........................
3 selinux types
====> Confined (mean access during domain).....> targeted processses started .this is for services that listen on
network
======>unconfined (means access to all domain ) -----> system processes during init. and logged-in users.
====>minimum
=====>mls
semanage boolean -l ======> show all boleans in selinux bolean is liye agr ap ik service ko do type ki selinux
semanage login -l =============> show local user mapping with selinux user
setboolean ===> executable writeable memory chunks use for changing in selinux policy for confined users.