linux selinux is the implementation of mandatory access control by the US National Security Agency and is the most outstanding new security subsystem in the history of Linux; SELinux is the mandatory access control system provided in version 2.6 of the Linux kernel; most used SELinux people use SELinux-ready distributions, such as Fedora, Red Hat Enterprise Linux, Debian or Centos.
#The operating environment of this tutorial: selinux2.6 system, Dell G3 computer.
linux What is selinux?
SELinux (Security-Enhanced Linux) is the implementation of mandatory access control by the US National Security Agency (NSA) and is the most powerful in the history of Linux. Outstanding new security subsystem. NSA developed an access control system with the help of the Linux community. Under the restrictions of this access control system, a process can only access those files required for its task. SELinux is installed by default on Fedora and Red Hat Enterprise Linux, and is also available as an easy-to-install package on other distributions.
SELinux is the Mandatory Access Control (MAC) system provided in version 2.6 of the Linux kernel. SELinux is the most comprehensive and well-tested of the Linux security modules available, and is built on 20 years of MAC research. SELinux incorporates multi-level security or an optional multi-class policy in a type-enforced server and adopts the concept of role-based access control.
Most people who use SELinux are using a SELinux-ready distribution, such as Fedora, Red Hat Enterprise Linux (RHEL), Debian, or Centos. They all enable SELinux in the kernel and provide a customizable security policy. They also provide many user-level libraries and tools that can use SELinux functions.
SELinux is a mandatory access control (MAC) security system based on the domain-type model. It is written by the NSA and designed as a kernel module included in the kernel. It has certain security-related The application has also been patched with SELinux, and finally there is a corresponding security policy. Any program has complete control over its resources. Suppose a program intends to throw files containing potentially important information into the /tmp directory, then no one can stop it in the case of DAC. SELinux provides better access control than traditional UNIX permissions.
How SELinux works
SELinux defines everyone’s access control to applications, processes and files on the system. Use security policies (a set of rules that tell SELinux what can and cannot be accessed) to enforce the access allowed by the policy.
When an application or process (called a principal) makes a request to access an object (such as a file), SELinux checks the access vector cache (AVC), which caches the access permissions of the principal and object.
If SELinux cannot make an access decision for permissions based on cache, it sends the request to a secure server. The security server then checks the security context of the application or process and file to see if it matches the security context of the SELinux policy database. Permissions are then granted or denied based on the checks.
If rejected, the message "avc: denied" will be displayed in /var/log.messages.
Related recommendations: "Linux Video Tutorial"
The above is the detailed content of linux selinux what is. For more information, please follow other related articles on the PHP Chinese website!