摘要
SELinux是美国安全局发布的一个集成在Linux内核中的新型强制访问控制(MAC)机制。为了提供细粒度的访问控制,SELinux采用RBAC模型和TE模型为主体和客体之间的交互设计了大量的安全策略,有效解决了自主访问控制(DAC)的脆弱性和传统MAC的不灵活性等问题。详细研究了SELinux的体系结构、安全模型和安全上下文,并以Apache服务器为例,介绍了如何定制SELinux以实现安全增强。
Security-enhanced Linux (SELinux) is a modern Mandatory Access Control (MAC) mechanism in the Linux kernel, which was spearheaded by the Nation Security Agency (NSA) of America. To support fine-grained access control, SELinux implements a combination of Type Enforcement (TE) and Role-based Access Control (RBAC) to design a lot of security policies for the interactions between subjects and objects. It effectively resolves the weakness of the Discretionary Access Control (DAC) and the inflexibleness of the traditional MAC. The architecture, security models and security context of SELinux was studied in detail, and as an example, how to customize the Apache HTTP SELinux policy to enhance system security was also demonstrated.
出处
《计算机应用》
CSCD
北大核心
2009年第B06期66-68,共3页
journal of Computer Applications
基金
国家自然科学基金资助项目(60603068)
