Explore how SELinux works

In today’s Internet era, network security issues have become increasingly prominent. In order to protect the system from malicious attacks and unauthorized access, the operating system has higher requirements for security mechanisms. SELinux (Security-Enhanced Linux), as a security module of the Linux kernel, provides powerful security policies and access control mechanisms, providing additional security for the system.

1. Working mode of SELinux

SELinux adopts mandatory access control (MAC) mechanism, which is different from traditional discretionary access control (DAC). In DAC mode, access control depends on the owner of the resource, that is, the access permission of the resource is determined by the owner of the resource. In the MAC mode of SELinux, all resource access is subject to strict mandatory policy control, including processes, files, sockets, etc. This means that even if a user obtains root privileges, they cannot bypass the SELinux protection mechanism.

In SELinux, each process and object has a corresponding security context. The security context consists of a subject label and an object label. The subject label represents the permissions of the process, and the object label represents the permissions of the object. When a request is initiated, SELinux will determine whether to allow the request based on the access control matrix of the subject label and object label.

2. Specific code examples

Next, we will demonstrate the working mode of SELinux through a simple code example. In this example, we will create a simple C program that attempts to open a file and write its contents. We will use SELinux's security rules to limit the permissions of this program.

First, we need to ensure that SELinux is installed in the system and SELinux is enabled. Then, we create a file named "selinux_example.c" and write the following code:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

int main() {
    char *file_path = "/tmp/example.txt";
    char *content = "Hello, SELinux!";

    int fd = open(file_path, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
    if (fd < 0) {
        perror("open");
        return 1;
    }

    if (write(fd, content, sizeof(content)) < 0) {
        perror("write");
        close(fd);
        return 1;
    }

    close(fd);

    return 0;
}

In this program, we try to open a file named "example.txt" and write the content "Hello , SELinux!". Next, we need to create a SELinux security policy for this program. We can use the "audit2allow" tool to generate a temporary SELinux policy and then load this policy. Execute the following command:

audit2allow -a -M my_selinux_example
semodule -i my_selinux_example.pp

After generating the policy, we can run the compiled program and it should be able to successfully write to the file. Then, we can view the tracking and recording of access permissions through the SELinux audit log. Execute the following command:

grep 'avc: ' /var/log/audit/audit.log | audit2why

Through the above sample code and steps, we can have a deeper understanding of the working mode of SELinux and how to protect the system through security policies. SELinux provides a powerful security mechanism to ensure that the system is protected from malicious attacks and abuse. If you want to learn more about SELinux, it is recommended to consult more relevant information and documents to learn more about how to write and manage security policies.

The above is the detailed content of Explore how SELinux works. For more information, please follow other related articles on the PHP Chinese website!