Research and Implementation on Process Access Control Based on SELinux Mandatory Access Control

doi:10.3969/j.issn.1671-1122.2015.12.006

Abstract

Abstract:

In face of the problem that the vulnerabilities of the common service or process in the Linux system are used to cause the system control to be easily lost, the paper proposes a process access control based on SELinux mandatory access control (PBACS), which can do fine-grained access control for files, processes and services, and can effectively mitigate security threats that caused by the vulnerabilities of system services, thus makes the server system more secure. The paper gives functional test and performance test on PBACS. Test result shows that PBACS meets design requirements, and can provide lower access control granularity in system process level. PBACS can be widely applied to reinforce Linux server system.

Key words: process access control, SELinux, mandatory access control, TE model, privilege escalation

CLC Number:

TP309

ZHANG Tao, ZHANG Yong, NING Ge, CHEN Zhong. Research and Implementation on Process Access Control Based on SELinux Mandatory Access Control[J]. Netinfo Security, 2015, 15(12): 34-41.

Figures/Tables 10

References 19

[1]	安天实验室安全研究中心.破壳漏洞(CVE-2014-6271)综合分析[EB/OL]. .
[2]	胡冠宇, 杨明. Linux服务器安全问题的分析与研究[J]. 软件工程师, 2014, 17(8):7-9.
[3]	叶嘉羲,张权,王剑. 基于权限控制和脚本检测的Webview漏洞防护方案研究[J]. 信息网络安全,2015(3):38-43.
[4]	李耀东. Linux操作系统存取访问控制机制的研究[D].北京:北京交通大学, 2008.
[5]	蒋发群, 李艳波. Linux访问控制安全测评[J]. 信息安全与技术, 2010(9):103-106.
[6]	李燕萍, 丁其鹏. SELinux在网络服务安全中的研究与分析[J]. 现代计算机, 2014, 18(10):32-34.
[7]	肖永康, 纪翠玲, 谢宝恂,等. SELinux的安全机制和安全模型[J]. 计算机应用, 2009, 35(29):66-68.
[8]	王静. SELinux的访问控制模型的分析与研究[J]. 计算机安全, 2008(11):39-42.
[9]	Red Hat, Inc. Red Hat Enterprise Linux 6 Security-Enhanced Linux [EB/OL]. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security-Enhanced_Linux/index.html#mls, 2015-3-5.
[10]	LOSCOCCO P, SMALLEY S. Meeting Critical Security Objectives with Security-Enhanced Linux [EB/OL].https://www.nsa.gov/research/_files/selinux/papers/ottawa01/index.shtml, 2015- 3-5.
[11]	FRANK M, KARL M, DACID C. SELinux by Example Using Security Enhanced Linux[EB/OL]. .
[12]	张涛,牛伟颖,孟正,等. 基于Windows内核模式下进程监控的用户权限控制系统设计与实现[J]. 信息网络安全,2014(4):13-19.
[13]	林尧. 基于LSM的改进型Linux入侵检测系统[D]. 大连:大连理工大学, 2011.
[14]	杨春晖,严承华. 基于进程管理的安全策略分析[J]. 信息网络安全,2014(8):61-66.
[15]	黄涛, 方艳湘. 一种基于进程的访问控制模型的研究[J]. 网络安全技术与应用, 2006(7):78-79.
[16]	刘威鹏, 胡俊, 吕辉军, 等. LSM框架下可执行程序的强制访问控制机制[J]. 计算机工程, 2008, 34(7):160-162.
[17]	倪继利. Linux安全体系分析与编程[M]. 北京:电子工业出版社, 2007.
[18]	刘伟, 孙玉芳, 叶以民. 基于角色的访问控制模型在安全操作系统中的实现[D].北京:中国科学院软件研究所, 2003.
[19]	姜华. SELinux中基于角色的访问控制技术研究[D]. 武汉:华中科技大学, 2009.