• Home

  • Documents

  • Security-Enhanced Linux & Linux Security Module The George Washington University CS297...
10
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Embed Size (px)

Citation preview

Page 1: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Security-Enhanced Linux

&Linux Security Module

The George Washington UniversityCS297 Programming Language & SecurityYU-HAO HU

Page 2: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Introduction: Why SELinux ?

Discretionary Access Control (DAC) has not enough choices for controlling object.

Mandatory Access Control (MAC) allows you to define permissions for how all processes (called subjects) interact with other parts of the system such as files, devices, sockets, ports, and other processes (called objects in SELinux).

Page 3: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Linux Security Module: Overview SELinux motivated the creation of LSM. Separate kernel from security features in

order to minimize the impact to kernel. LSM doesn’t provide any security rather it

add security fields to kernel and provide interface to manage these fields for maintaining security attributes..

Page 4: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Linux Security Module: Hooks Hooks are a set of functions to control operati

ons on kernel objects and security fields in kernel data structures.

Management Hooks:used to manage security fields.Ex. file_alloc_security

Control Hooks:used to perform access controlsEx. selinux_inode_permission

Page 5: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

LSM Hook Architecture

Page 6: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

SELinux Overview

Implement Flask architecture. SELinux is implemented in the Linux kernel

using the LSM (Linux Security Modules) framework.

To support fine-grained access control, SELinux implements two technologies: Type Enforcement (TE) and Role-based Access Control (RBAC).

Page 7: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Flask Architecture: WHO is doing WHAT

Page 8: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Type Enforcement & Domain Transition Domain

Domain defines what process can do. Type

A type is assigned to an object and determines who gets to access that object.

Domain Transitionwhen a process invoke another process

Type Enforcementwhen a object is accessed

Page 9: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

Role-Based Access Control

Associate the role with domains that a user role can access.

If a role is not authorized to enter a domain, then it will be denied.

Page 10: Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU

References

Linux Security Module Framework. 2002 Ottawa Linux Symposium, Ottawa, Canada, June 2002.

Linux Security Modules: General Security Support for the Linux Kernel.

11th USENIX Security Symposium, San Francisco, CA, August 2002.

Red Hat SELinux Guide Configuring the SELinux PolicyStephen Smalley (NAI Labs)

Implementing SELinux as a Linux Security ModuleStephen Smalley, Chris Vance, and Wayne Salamon (NAI Labs)

Getting Started with SE Linux HOWTO: the new SE Linux Faye Coker

Writing SE Linux Policy HOWTO Faye Coker


HackNotes : Linux and Unix Security Portable Reference - Linux and Unix...Linux and Unix Security Portable Reference ... HackNotes Linux and Unix Security Portable Reference is

HackNotes : Linux and Unix Security Portable Reference - Linux and Unix...Linux and Unix Security Portable Reference ... HackNotes Linux and Unix Security Portable Reference is

Documents
Linux Security Primer - SISSA People Personal Home Pagescalucci/linux_security/linux... · 2007-12-19 · Linux Security Primer Piero Calucci Security what? Password Selection Storage

Linux Security Primer - SISSA People Personal Home Pagescalucci/linux_security/linux... · 2007-12-19 · Linux Security Primer Piero Calucci Security what? Password Selection Storage

Documents
LINUX SECURITY FUNDAMENTALS

LINUX SECURITY FUNDAMENTALS

Documents
Security & Cryptography In Linux

Security & Cryptography In Linux

Technology
UniS CS297 Graphics with Java and OpenGL Blending

UniS CS297 Graphics with Java and OpenGL Blending

Documents
Linux: Networking & Security

Linux: Networking & Security

Documents
Linux Security - St.Louis Linux User's Group

Linux Security - St.Louis Linux User's Group

Documents
Linux’ Security Haifa Linux Club 21.10.99 Orr Dunkelman

Linux’ Security Haifa Linux Club 21.10.99 Orr Dunkelman

Documents
Linux Security Myth

Linux Security Myth

Technology
Linux Windows Security

Linux Windows Security

Documents
linux security: interact with linux

linux security: interact with linux

Technology
Linux Security Zuo

Linux Security Zuo

Documents
F-Secure Linux Security

F-Secure Linux Security

Documents
Linux Kernel Security Overview - Linux Kernel Developernamei.org/presentations/linux-kernel-security-kca09.pdf · Linux Kernel Security Overview Kernel Conference Australia ... Labeled

Linux Kernel Security Overview - Linux Kernel Developernamei.org/presentations/linux-kernel-security-kca09.pdf · Linux Kernel Security Overview Kernel Conference Australia ... Labeled

Documents
Security and Linux Security

Security and Linux Security

Technology
FOSS Security through SELinux (Security Enhanced Linux)

FOSS Security through SELinux (Security Enhanced Linux)

Documents
Security Strategies in Linux Platforms and Applications Lesson 1 Security Threats to Linux

Security Strategies in Linux Platforms and Applications Lesson 1 Security Threats to Linux

Documents
CS297 Report Online Video Chatting Tool

CS297 Report Online Video Chatting Tool

Documents
CS297 Graphics with Java and OpenGL

CS297 Graphics with Java and OpenGL

Documents
Security-Enhanced Linux Red Hat Enterprise Linux 6

Security-Enhanced Linux Red Hat Enterprise Linux 6

Documents
Linux Security Primer - people.sissa.itpeople.sissa.it/~calucci/linux_security/linux_security-printable.pdf · Linux Security Primer Piero Calucci Security what? Password Selection

Linux Security Primer - people.sissa.itpeople.sissa.it/~calucci/linux_security/linux_security-printable.pdf · Linux Security Primer Piero Calucci Security what? Password Selection

Documents
CS297 Report Enhancing open source localization...CS297 Report Enhancing open source localization Farzana Forhad farzanaforhad2003@yahoo.com Advisor: Dr. Chris Pollett Department of

CS297 Report Enhancing open source localization...CS297 Report Enhancing open source localization Farzana Forhad [email protected] Advisor: Dr. Chris Pollett Department of

Documents
Server Security for Linux and Containers...Purpose-Built, Multi-Distribution Security for Linux Server and Container Workloads Bitdefender Server Security for Linux and Containers

Server Security for Linux and Containers...Purpose-Built, Multi-Distribution Security for Linux Server and Container Workloads Bitdefender Server Security for Linux and Containers

Documents
CS297 Report Media Applets and Tunneling Applets€¦ · CS297 Report Media Applets and Tunneling Applets Xunyan Yang (xunyanyang@hotmail.com) Advisor: Dr. Chris Pollett 1. ... RTSP

CS297 Report Media Applets and Tunneling Applets€¦ · CS297 Report Media Applets and Tunneling Applets Xunyan Yang ([email protected]) Advisor: Dr. Chris Pollett 1. ... RTSP

Documents
linux security services

linux security services

Documents
UniS CS297 Graphics with Java and OpenGL Introduction

UniS CS297 Graphics with Java and OpenGL Introduction

Documents
Security Enhanced Linux

Security Enhanced Linux

Documents
Red Hat Linux 9 Red Hat Linux Security Guidedownloads.tuxpuc.pucp.edu.pe/manuales/rh90/rhl-sg-en.pdf · Red Hat Linux 9 Red Hat Linux Security Guide. Red Hat Linux 9: Red Hat Linux

Red Hat Linux 9 Red Hat Linux Security Guidedownloads.tuxpuc.pucp.edu.pe/manuales/rh90/rhl-sg-en.pdf · Red Hat Linux 9 Red Hat Linux Security Guide. Red Hat Linux 9: Red Hat Linux

Documents
Security Namespace: Making Linux Security Frameworks

Security Namespace: Making Linux Security Frameworks

Documents
Fundamentals of Linux Platform Securitycja/LPS12b/lectures/lps-10.pdfFundamentals of Linux Platform Security Module 10 Platform Security . Roadmap • Real-World Linux Security •

Fundamentals of Linux Platform Securitycja/LPS12b/lectures/lps-10.pdfFundamentals of Linux Platform Security Module 10 Platform Security . Roadmap • Real-World Linux Security •

Documents