A self-study-based configuration method of linux security policy

Abstract

The invention provides a Linux security policy configuration method based on self-learning aiming at the problem that Linux security policy configuration is difficult so as to simplify the working process of system configuration. According to the Linux security policy configuration method, a policy study module is embedded in a security server area of Security-Enhanced Linux (SE Linux). The module provides an automatic learning switch for a configuration administrator user so that a security server can automatically generate an access control policy by judging the on-off state. When the switch is in the on-state, all access requests between subjects and objects intercepted by an LSM are recorded, corresponding access control policies are automatically generated, and simultaneously the requests are released. When the switch is in the off-state, the policy study module no longer plays the role, and the security server returns the existing access control policies. The policies generated with the Linux security policy configuration method in the self-learning mode all meet the requirements of minimum privilege of the subjects, hidden safety dangers or stability dangers caused by errors in manual configuration can be avoided to the maximum extent, and system safety can be further improved.

Description

technical field [0001] The invention belongs to the technical field of computer and network security, and in particular relates to a self-study-based Linux security policy configuration method. Background technique [0002] With the increasing popularity of the Linux operating system, its security issues have attracted more and more attention. SELinux is the Mandatory Access Control (MAC) system provided in version 2.6 of the Linux kernel. [0003] Access control usually pre-configures security policies by users, or the system itself provides a security policy based on a certain model, and then implements the arbitration of system resource access requests by referring to the monitoring machine. The purpose of access control is to maintain the confidentiality, integrity and availability of the system. [0004] SELinux is the most comprehensive and well-tested of the Linux security modules currently available, and it builds on 20 years of MAC research. SELinux incorporates ...

AI Technical Summary

Problems solved by technology

[0006] Due to the complexity of the Linux operating system itself and the diversity of upper-layer applications, the configuration process of SELinux is extremely complicated.

Moreover, SELinux involves all aspects of the bottom layer of the operating system, making it more difficult for the configuration administrator to correctly configure security; at the same time, how to assign reasonable permissions to each subject in the operating system is the first problem that the configuration administrator must think about. This process follows the principle of minimum authority, that is, the authority assigned to a subject must just meet the legal access requirements of the subject. Exceeding this requirement will cause potential security risks, and lower than this requirement will cause the subject to fail to work normally.

[0007] To sum up, it is a challenge for every configuration administrator to build a stable and secure SELinux policy for a brand new business system

Images