333.2 - Mandatory Access Control
Key Knowledge Areas:
- Understand the concepts of type enforcement, role based access control, mandatory access control and discretionary access control
- Configure, manage and use SELinux
- Awareness of AppArmor and Smack
Partial list of the used files, terms and utilities:
- getenforce
- setenforce
- selinuxenabled
- getsebool
- setsebool
- togglesebool
- fixfiles
- restorecon
- setfiles
- newrole
- setcon
- runcon
- chcon
- semanage
- sestatus
- seinfo
- apol
- seaudit
- audit2why
- audit2allow
- /etc/selinux/*
Files
/etc/selinux/*
- config: configures the SELinux state (disabled; enforcing; permissive), and type (minimum; mls; targeted)
(Fedora: selinux-policy.noarch) - semanage.conf: configures how libsemanage communicates with an SELinux policy manager (/foo/bar; direct; foo.com:4242; source), and how it operates
(Fedora: libsemanage.x86_64) - targeted/*: policy files
(Fedora: selinux-policy-targeted.noarch)
Utilities
selinuxenabled
Command that returns exit status 0 if SELinux is enabled, or else 1.
sestatus
Show an overview of the SELinux status (i.e. state, paths, policies, etc.)
seinfo, apol
Get information on SELinux policy or analyze SELinux policy graphically (similar output)
seaudit
Analyze audit logs graphically
audit2allow, audit2why
Generate audit rules from logs or describe why access was denied (alias for audit2allow -w)
semanage
Manage SELinux policies
getenforce, setenforce
Get or set the SELinux state
getsebool, setsebool, togglesebool
Get, set, or toggle SELinux booleans
fixfiles, setfiles
Correct or set SELinux context of files
chcon, restorecon
Change SELinux context or restore default SELinux context of files
newrole
Switch SELinux role for a shell
setcon
Set SELinux context of a process
runcon
Switch SELinux context for a command
Notes
Type enforcement
- “Implementing TE gives priority to mandatory access control (MAC) over discretionary access control (DAC).”
- “Type enforcement implementation is a prerequisite for MAC, and a first step before multilevel security (MLS) or its replacement multi categories security (MCS). It is a complement of role-based access control (RBAC).”
Role based access control (RBAC)
- “Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges.”
- “Although RBAC is different from MAC and DAC access control frameworks, it can enforce these policies without any complication.”
Mandatory access control (MAC)
- “With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted.”
- “The more recent MAC implementations, such as SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.”
Discretionary access control
- “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong”
- “The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).”
- “There are at least two implementations: with owner (as a widespread example) and with capabilities.”
AppArmor
- “a Linux kernel security module that allows the system administrator to restrict programs’ capabilities with per-program profiles”
- “its development has been supported by Canonical since 2009”
- “AppArmor is offered in part as an alternative to SELinux, which critics consider difficult”
- “Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths.”
- “AppArmor is filesystem-agnostic.”
Smack
- “a Linux kernel security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control (MAC) rules, with simplicity as its main design goal”
- “Smack has been criticized for being written as a new LSM module instead of an SELinux security policy”