Section 4.1. Purpose of Object Classes in SELinux

Previous page
Table of content
Next page

4.1. Purpose of Object Classes in SELinux

Object classes and their associated permissions are the basis for access control in SELinux. Object classes represent categories of resources such as files and sockets, and permissions represent accesses to those resources such as reading or sending. Understanding object classes and permissions is a difficult aspect of SELinux because it requires both SELinux and Linux knowledge.

An object class represents all resources of a certain kind (for example, files or sockets). An instance of an object class (for example, a specific file or socket) is simply called an object. Often the terms object class and object are used interchangeably, but it is important to understand the difference. Object class refers to the entire category of resources (files); object refers to a specific instance of the object class (/etc/passwd).

As discussed in Chapter 2, "Concepts," access to objects is expressed in the policy through permissions to object classes that have a specified type(s). To illustrate, let's consider an allow rule from Chapter 2:

allow user_t bin_t : file {read execute getattr};


In this rule, processes with the type user_t (that is, the source or subject) are allowed to read, execute, and get attributes for all objects of class file that have the target type (bin_t) in their security context. The object class file specifies the category of resource, and bin_t specifies which instances of that category of resources to which this rule applies (that is, those file objects that have the type bin_t). It does not apply to objects that have bin_t type that are not of file class nor to file objects that do not have bin_t as their type.

The permissions in this ruleread, execute, and getattrdefine the access allowed to those objects by subjects (implicitly process objects) that have the type user_t. Each of these permissions, which must be valid for the file object class, represent some form of access to the objects. (For example, the read permission is required to use the open(2) system call to open a file for reading, use the read(2) system call on an opened file, and so on.) The set of permissions defined for an object class (also called an access vector) represents all the possible access that can be allowed to the resources represented by that object class.

The set of object classes available depends on the version of SELinux and its Linux kernel. Over time, new and different object classes have evolved to address new and changed features of the kernel. For example, newer versions of the Linux kernel have introduced a new Netlink-specific socket for controlling the audit framework. [1]. For those kernels that support the Netlink socket, there is an SELinux object class with appropriate permissions defined.

[1] Information about and source code for the Linux audit framework and tools is available at http://people.redhat.com/sgrubb/audit/



Previous page
Table of content
Next page
SELinux by Example(c) Using Security Enhanced Linux
SELinux by Example: Using Security Enhanced Linux
ISBN: 0131963694
EAN: 2147483647
Year: 2007
Pages: 154
Authors: Frank Mayer, Karl MacMillan, David Caplan
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Java How to Program (6th Edition) (How to Program (Deitel))
Ruby Cookbook (Cookbooks (OReilly))
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
File System Forensic Analysis
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy