|
The Next Wave (TNW)
About
Subscribe to TNW
Archive
Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Security Policy AbstractionsThe security architecture of the system is general enough to support many security policy abstractions. The access controls in the implemention currently support a combination of two, type enforcement and role-based access control. This combination was chosen because togther they provide powerful tools to construct useful security policies. The specific policy that is enforced by the kernel is dictated by security policy configuration files which include type enforcement and role-based access control components. The type enforcement component defines an extensible set of domains and types. Each process has an associated domain, and each object has an associated type. The configuration files specify how domains are allowed to access types and to interact with other domains. They specify what types (when applied to programs) can be used to enter each domain and the allowable transitions between domains. They also specify automatic transitions between domains when programs of certain types are executed. Such transitions ensure that system processes and certain programs are placed into their own separate domains automatically when executed. The role-based access control component defines an extensible set of roles. Each process has an associated role. This ensures that system processes and those used for system administration can be separated from those of ordinary users. The configuration files specify the set of domains that may be entered by each role. Each user role has an initial domain that is associated with the user's login shell. As users execute programs, transitions to other domains may, according to the policy configuration, automatically occur to support changes in privilege.
Linux is a registered trademark of Linus Torvalds |
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |











