First page Back Continue Last page Overview Graphics
SELinux provides Flexible MAC
Flexible MAC integrated into Linux kernel
Application of the Flask security architecture
Integrated into major kernel subsystems
Provides object class and permission abstractions
Labels kernel objects with security contexts
Enforces access decisions on kernel operations
Notes:
Reference implementation of Flask architecture for flexible MAC in Linux – cleanly separates policy from enforcement, well-defined policy interfaces, support for policy changes, fine-grained controls, caching. Supports policy flexibility.
Integrated into the major subsystems of the Linux kernel, covering process, file, socket/networking, System V IPC, etc.
Introduces abstractions of "object classes" and "permissions" for kernel objects and operations.
Maintains security labels on all processes and objects. Called "security contexts", include all security-relevant attributes. File security contexts stored as extended attributes associated with the inode on the disk.
On an attempted access to a kernel object, consults a policy engine to determine whether access is permitted based on security contexts of the process and object.