domínios de segurança do SELlinux

3

Estou estudando o SELinux, mas não consigo encontrar nenhuma definição clara para domínios de segurança. O que é um domínio de segurança e qual é a sua diferença com o contexto de segurança?

    
por Gohar 09.04.2014 / 12:59

1 resposta

1

domínios

Do tópico do Wiki do Gentoo intitulado: 2. Conceitos do SELinux .

As expected, the security context of the user (to be more specific, the domain in which it resides) has write access to the domain of the target's directories. The notion of domain is frequently used in SELinux documentation and refers to the type assigned to a process. BTW, as files do not have roles, they are given the default object_r role by SELinux.

A parte chave desse parágrafo é esta frase:

The notion of domain is frequently used in SELinux documentation and refers to the type assigned to a process

tipos

Se você agora analisar quais tipos são desta seção do mesmo tópico: 2.b. Contextos de Segurança - Usuários, Funções, Domínios, Sensibilidades e Categorias

type

This is the type assigned to the resource and is the key to SELinux' enforcement rules

Juntando

Por fim, se você der uma olhada nesta seção intitulada: 2.c. Digite Enforcements / Domain Types , ele conecta os pontos:

To explain how the permission rules work and how this is enforced through the security contexts, let's start from the last definition in the context (the type) and work our way forward through the roles and users.

  • A SELinux type is a particular label assigned to a resource. The passwd command for instance is labeled with the passwd_exec_t type.
  • A SELinux domain is the security state of a process and identifies the rights and permissions it has. It is most often referred to by its type declaration. For instance, for a running passwd command, its domain is passwd_t.

An example for the *passwd_t* domain would be the permissions granted between the *passwd_t* domain and the *shadow_t* type (used by the /etc/shadow file).

    
por 13.04.2014 / 08:35