Difference between revisions of "NB RBAC"

From SELinux Wiki
Jump to: navigation, search
Line 1: Line 1:
 +
 
= Role-Based Access Control (RBAC) =
 
= Role-Based Access Control (RBAC) =
To further control access to TE domains SELinux makes use of role-based access control (RBAC). This feature allows SELinux users to be associated to one or more roles, where each role is then associated to one or more domain types as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/4-RBAC.png Role Based Access Control] diagram. Note that GNU / Linux users are not a direct part of the RBAC feature, they are associated to SELinux users via SELinux specific commands<ref name="ftn6"><sup>There are other SELinux utilities that can manage users etc., however this Notebook will only use the core utilities.</sup></ref> such as:
+
To further control access to TE domains SELinux makes use of role-based access control (RBAC). This feature allows SELinux users to be associated to one or more roles, where each role is then associated to one or more domain types as shown in the [http://taiga.selinuxproject.org/~rhaines/NB4-diagrams/4-RBAC.png Role Based Access Control] diagram.  
 
+
* '''semanage login'''- That manages the association of GNU / Linux users (or groups of users) to SELinux users.
+
 
+
* '''semanage user''' - That manages the association of SELinux users to roles.  
+
  
The [http://taiga.selinuxproject.org/~rhaines/diagrams/4-RBAC.png Role Based Access Control] diagram shows how the SELinux user and roles are associated within the basic loadable modules that form the simple message filter exercise described in Volume 2.
+
The SELinux role name is the second component of a 'security context' and by convention SELinux roles end in '<tt>_r</tt>', however this is not enforced by any SELinux service (i.e. it is only used to identify the role component), although CIL with namespaces does make identification of a role easier for example a 'role' could be declared as <tt>unconfined.role</tt>.
  
SELinux users can be equated to groups or classes of user, for example in the Reference Policy there is <tt>user_u</tt> for general users with <tt>staff_u</tt> and <tt>sysadm_u</tt> for more specialised users. There is also a <tt>system_u</tt> defined that must never be associated to a GNU / Linux user as it a special identity for system processes and objects.
+
It is possible to add constraints and bounds on roles as discussed in the [[NB_TE | Type Enforcement]] section.
  
  

Revision as of 13:03, 5 December 2014

Role-Based Access Control (RBAC)

To further control access to TE domains SELinux makes use of role-based access control (RBAC). This feature allows SELinux users to be associated to one or more roles, where each role is then associated to one or more domain types as shown in the Role Based Access Control diagram.

The SELinux role name is the second component of a 'security context' and by convention SELinux roles end in '_r', however this is not enforced by any SELinux service (i.e. it is only used to identify the role component), although CIL with namespaces does make identification of a role easier for example a 'role' could be declared as unconfined.role.

It is possible to add constraints and bounds on roles as discussed in the Type Enforcement section.