(翻译)SELinux 概念的直观解释

来自Android官网文章 Android 中的安全增强型 Linux 参考资料推荐

SELinux 直观操作指南

*all cartoons by Máirín Duffy

Image by : Opensource.com

We are celebrating the SELinux 10th year anversary this year. Hard to believe it. SELinux was first introduced in Fedora Core 3 and later in Red Hat Enterprise Linux 4. For those who have never used SELinux, or would like an explanation...

难以置信,到2013年,SELinux已经诞生10年了。起初是Fedora Core 3 引进了SELinux,随后又被Red Hat Enterprise Linux 4引进。值得写篇文章给想要了解SELinux的初学者来庆祝一下...

SELinux is a labeling system. Every process has a label. Every file/directory object in the operating system has a label. Even network ports, devices, and potentially hostnames have labels assigned to them. We write rules to control the access of a process label to an a object label like a file. We call this policy. The kernel enforces the rules. Sometimes this enforcement is called Mandatory Access Control (MAC).


The owner of an object does not have discretion over the security attributes of a object. Standard Linux access control, owner/group + permission flags like rwx, is often called Discretionary Access Control (DAC). SELinux has no concept of UID or ownership of files. Everything is controlled by the labels. Meaning an SELinux system can be setup without an all powerful root process.

在SELinux中,用户甚至不能对其所拥有的对象自由访问。标准的Linux访问控制模型是基于用户/用户组 + 权限标记如rwx,一般被称为DAC,即“自主访问控制”。SELinux并没有标准Linux访问控制中的UID概念,或文件所属的用户/用户组概念,从而也没有了拥有一切权利的root进程的概念,而是所有操作都由标签控制。

Note: SELinux does not let you side step DAC Controls. SELinux is a parallel enforcement model. An application has to be allowed by BOTH SELinux and DAC to do certain activities. This can lead to confusion for administrators because the process gets Permission Denied. Administrators see Permission Denied means something is wrong with DAC, not SELinux labels.

Note: SELinux并不是要摒弃DAC控制模型。它是一种和DAC控制模型并存的强制执行模型。一个应用要进行操作,必须同时在DAC和MAC模型下取得权限。这种情况下进程操作遇到Permission Denied,可能会给管理员带来困惑,不过SELinux标签导致的问题,并不会出现Permission Denied情况,只有DAC模型下会遇到Permission Denied。

Type enforcement

Lets look a little further into the labels. The SELinux primary model or enforcement is called type enforcement. Basically this means we define the label on a process based on its type, and the label on a file system object based on its type.




Imagine a system where we define types on objects like cats and dogs. A cat and dog are process types.



We have a class of objects that they want to interact with which we call food. And I want to add types to the food, cat_food and dog_food.



As a policy writer, I would say that a dog has permission to eat dog_chow food and a cat has permission to eat cat_chow food. In SELinux we would write this rule in policy.

作为策略制定者,我会让一个dog对象(一条狗)有吃种类为“dog_chow” 、类型为“food”的对象(狗粮)的权限,让一个cat对象(一只猫)有吃种类为“cat_chow”、类型为“food”的对象(猫粮)的权限。在SELinux中,这个规则要这样写进“策略”中:

allow cat cat_chow:food eat;
allow dog dog_chow:food eat;

With these rules the kernel would allow the cat process to eat food labeled cat_chow and the dog to eat food labeled dog_chow.



But in an SELinux system everything is denied by default. This means that if the dog process tried to eat the cat_chow, the kernel would prevent it.


Likewise cats would not be allowed to touch dog food.

类似的“cat”类型的进程也不能去对“dog_chow” “food”做“eat”操作。

Real world

We label Apache processes as httpd_t and we label Apache content as httpd_sys_content_t and httpd_sys_content_rw_t. Imagine we have credit card data stored in a mySQL database which is labeled msyqld_data_t. If an Apache process is hacked, the hacker could get control of the httpd_t process and would be allowed to read httpd_sys_content_t files and write to httpd_sys_content_rw_t. But the hacker would not be allowed to read the credit card data (mysqld_data_t) even if the process was running as root. In this case SELinux has mitigated the break in.



MCS enforcement


Above, we typed the dog process and cat process, but what happens if you have multiple dogs processes: Fido and Spot. You want to stop Fido from eating Spot's dog_chow.




One solution would be to create lots of new types, like Fido_dog and Fido_dog_chow. But, this will quickly become unruly because all dogs have pretty much the same permissions.

一种办法是定义更多新的类型,如定义新的进程类型Fido_dog,以及新的food种类 Fido_dog_chow。但是你很快会发现这样的方法可操作性太差,因为所有的dog类型都需要类似的权限。每个新的dog进程类型都定义一个新的food种类与之对应,是多么令人抓狂的事。

To handle this we developed a new form of enforcement, which we call Multi Category Security (MCS). In MCS, we add another section of the label which we can apply to the dog process and to the dog_chow food. Now we label the dog process as dog:random1 (Fido) and dog:random2 (Spot).

为了处理这种情况,SELinux中有一种新的强制控制模型,称为MCS (Multi Category Security)(多类别安全)。在MCS中,标签中增加了另外的字段,该字段可以同时赋予dog进程和dog_chow food对象。对于两个dog进程设置如下标签:dog:random1(Fido进程)和dog:random2(Spot进程)。

We label the dog chow as dog_chow:random1 (Fido) and dog_chow:random2 (Spot).

对于两个food对象设置如下标签:dog_chow:random1Fidofood)和 dog_chow:random2Spotfood

MCS rules say that if the type enforcement rules are OK and the random MCS labels match exactly, then the access is allowed, if not it is denied.


Fido (dog:random1) trying to eat cat_chow:food is denied by type enforcement.
Fido (dog:random1) is allowed to eat dog_chow:random1.
Fido (dog:random1) denied to eat spot's (dog_chow:random2) food.

Real world

In computer systems we often have lots of processes all with the same access, but we want them separated from each other. We sometimes call this a multi-tenant environment. The best example of this is virtual machines. If I have a server running lots of virtual machines, and one of them gets hacked, I want to prevent it from attacking the other virtual machines and virtual machine images. But in a type enforcement system the KVM virtual machine is labeled svirt_t and the image is labeled svirt_image_t. We have rules that say svirt_t can read/write/delete content labeled svirt_image_t. With libvirt we implemented not only type enforcement separation, but also MCS separation. When libvirt is about to launch a virtual machine it picks out a random MCS label like s0:c1,c2, it then assigns the svirt_image_t:s0:c1,c2 label to all of the content that the virtual machine is going to need to manage. Finally, it launches the virtual machine as svirt_t:s0:c1,c2. Then, the SELinux kernel controls that svirt_t:s0:c1,c2 can not write to svirt_image_t:s0:c3,c4, even if the virtual machine is controled by a hacker and takes it over. Even if it is running as root.

在计算机系统中,经常有很多进程拥有相同的访问权限的情况,但是我们又想要让其彼此有互相独立的访问权限。这种情况通常被称为多租户环境。最好的例子就是虚拟机系统。例如一台服务器上运行着很多虚拟机,如果其中一个虚拟机被入侵,我们肯定希望其他的虚拟机及其镜像不受这次入侵的影响。但是在基于类型的强制访问系统中,KVM虚拟机是被赋予svirt_t标签的,其镜像被赋予标签svirt_image_t。对应的规则是svirt_t 可以 read/write/delete 有标签svirt_image_t的内容,这样是无法满足前面描述的安全需求的。不过libvirt不仅实现了基于类型的强制访问模型,还实现了MCS机制。当libvirt启动一个虚拟机进程时,该机制会随机生成一个类似于 s0:c1,c2的MCS标签,然后给这台虚拟机将要管理的内容都赋予标签svirt_t:s0:c1,c2标签。最后,该虚拟机进程被赋予了标签:svirt_t:s0:c1,c2。这样,即使拥有root权限的虚拟机(标签为svirt_t:s0:c1,c2)被黑客控制,SELinux kernel也可以拒绝svirt_t:s0:c1,c2标签的进程访问标签为svirt_image_t:s0:c3,c4的内容。

We use similar separation in OpenShift. Each gear (user/app process)runs with the same SELinux type (openshift_t). Policy defines the rules controlling the access of the gear type and a unique MCS label to make sure one gear can not interact with other gears.

Watch this short video on what would happen if an Openshift gear became root.


这个短视频展示了如果一个Openshift gear变成root权限会发生什么。

MLS enforcement

Another form of SELinux enforcement, used much less frequently, is called Multi Level Security (MLS); it was developed back in the 60s and is used mainly in trusted operating systems like Trusted Solaris.

The main idea is to control processes based on the level of the data they will be using. A *secret *process can not read top secret data.

MLS is very similar to MCS, except it adds a concept of dominance to enforcement. Where MCS labels have to match exactly, one MLS label can dominate another MLS label and get access.

MLS 强制执行模型(多级别安全模型)

另一种SELinux强制执行模型用的比较少,称为MLS(Multi Level Security)强制执行模型;这种模型开发于60年代,主要用于可信操作系统例如Trusted Solaris。

主要思想是基于进程要访问数据的安全级别来进行控制。一个secret级别的进程不能读取top secret级别的数据。



Instead of talking about different dogs, we now look at different breeds. We might have a Greyhound and a Chihuahua.



We might want to allow the Greyhound to eat any dog food, but a Chihuahua could choke if it tried to eat Greyhound dog food.

我们想要让Greyhound可以吃任何dog food,但是一只Chihuahua dog不能去吃Greyhound dog food,因为这样可能会导致Chihuahua窒息而死。

We want to label the Greyhound as dog:Greyhound and his dog food as dog_chow:Greyhound, and label the Chihuahua as dog:Chihuahua and his food as dog_chow:Chihuahua.

我们给Greyhound赋予标签dog:Greyhound,对应的dog food 赋予标签dog_chow:Greyhound,赋予Chihuahua dog:Chihuahua标签,对应的dog food 赋予dog_chow:Chihuahua标签。

With the MLS policy, we would have the MLS Greyhound label dominate the Chihuahua label. This means dog:Greyhound is allowed to eat dog_chow:Greyhound and dog_chow:Chihuahua.

在MLS策略下,我们让MLS Greyhound 标签支配Chihuahua 标签。这意味着dog:Greyhound 允许吃dog_chow:Greyhounddog_chow:Chihuahua。(译注:可以认为Greyhound的级别比Chihuahua的级别高)

But dog:Chihuahua is not allowed to eat dog_chow:Greyhound.

但是 dog:Chihuahua 却不能吃dog_chow:Greyhound

Of course, dog:Greyhound and dog:Chihuahua are still prevented from eating cat_chow:Siamese by type enforcement, even if the MLS type Greyhound dominates Siamese.


Real world

I could have two Apache servers: one running as httpd_t:TopSecret and another running as httpd_t:Secret. If the Apache process httpd_t:Secret were hacked, the hacker could read httpd_sys_content_t:Secret but would be prevented from reading httpd_sys_content_t:TopSecret.



However, if the Apache server running httpd_t:TopSecret was hacked, it could read httpd_sys_content_t:Secret data as well as httpd_sys_content_t:TopSecret.


We use the MLS in military environments where a user might only be allowed to see secret data, but another user on the same system could read top secret data.



SELinux is a powerful labeling system, controlling access granted to individual processes by the kernel. The primary feature of this is type enforcement where rules define the access allowed to a process is allowed based on the labeled type of the process and the labeled type of the object. Two additional controls have been added to separate processes with the same type from each other called MCS, total separtion from each other, and MLS, allowing for process domination.




  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 217,657评论 6 505
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 92,889评论 3 394
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 164,057评论 0 354
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 58,509评论 1 293
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 67,562评论 6 392
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 51,443评论 1 302
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 40,251评论 3 418
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 39,129评论 0 276
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 45,561评论 1 314
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,779评论 3 335
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,902评论 1 348
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 35,621评论 5 345
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 41,220评论 3 328
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,838评论 0 22
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,971评论 1 269
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 48,025评论 2 370
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,843评论 2 354