Selinux Type Enforcement Model Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Labeling decisions are used for new subject and new object in order to determine default security attributes. SID's for the transient objects (eg.., sockets) are associated with their respective Kernel object. Their present persistent label mapping which determines security context for every file and directory and the mapping is done by mapping two files one is mapping inodes to integer persistent security identifiers and other one is mapping PID's to security contexts.

File context configuration is logically different from policy configuration. In file context configuration, mapping is done by utility known as SETFILES and determines security for files based on their pathnames. Whereas policy configuration determines security decisions based on the security attributes

2. Access Decisions:

It determines the permission for SID's and object class, has been granted or not. Operations of the object is controlled by a set of permissions defined by a bitmap known as Access vector .Security server verifies the object class for permissions defined previously and allows access vector decisions.

System server adopts security models in order to have control over processes and objects in the system. They are

1.SELinux Type Enforcement Model:

In this process and object has single type attribute security context. Single Access Matrix determines how process and the objects interact with other in terms of permissions specified by the flask architecture. In this users are not associated directly with domains, RBAC model is used in between the users and domains.

Configuration of Type Enforcement Model:

TE configuration uses m4 macros which are present in macros directory. Type attributes are declared by attrib.te.General types and rules which indicate relation between these types are present in types directory. Rules for each domain and the declarations are present in domains directory. Domain definition file contains types that are associated particular dominate assertions are specified by assert.te file.System logs,System configuration information System software, Integrity protection of the kernel are defined by types in TE configuration.

2.Role-Based Access Control:

Security context of each process contains a role attribute maintained by RBAC model. In this RBAC controls each user for a set of roles and set of TE domains is controlled by roles.

SELinux maintains separate user id attribute, and it is possible to maintain Linux userid and selinux user id with mapping

Configuration of Role-Based Access Control:

Rbac file contains RBAC configuration but it has been divided in to individual system_r the entire system processes executes. Roles such as user_r,sysadm_r and staff_r are controlled by each domains defined by the system processes. user_t, sysadm_t and staff_t, are the domains which authorizes respective roles.

Configuring File Contexts

Policy/file_contexts subdirectory contains file contexts configuration, each program domain has specific configuration file(program/*.f.c).Extended attributes can be updated at any time by executing fix files relabel.To restore list of files restorecon utility must be executed.


SELinux is not suggested for implementation it is used for developing and testing. It is helpful in preventing unauthorized processes behavior such as changing data, reading other process data. We can now prevent the system damage from flawed programs by examining role , user, domain and how the domain further divided in to types. The system can be configured by separating object control and security server in order to support different patterns of domains and types.


In Linux 2.4,2.6 series of kernel a framework is built for manipulation of the packet known as Netfilter.IPTables and Packet selection system enables Linux kernel to implement firewalling,Poert Address Translation , Network Address Translation and also some other useful network data manipulations. In Linux kernel call back function is accepted by implementing netfilter in which flexibility of the kernel module system is inherited by the IPTables. When packet enters module then it allows the netfilter to proceed further manipulations like drop the packet, stop further processing ,or repeat callback function again, these manipulations are done by user space programs. Netfilter hooks are present throughout Linux Networking code. When a packet arrive at the system before routing decisions NF_IP_ROUTING hook is called. In netfilter IPTables are adopted as a set of layers. It has two layers

Table layer:

Here in this configuration data is processed or manipulated by the IPTables ,which contains chains of rules and these data manipulation is done according to the numeric order with in each chain. It contains three chains

a.Input Chain:

In this packet is sent to the kernel in which Linux is running.

b.Forward Chain:

After the packet enters Linux running machine in which it is not the source or the destination then this chain is adopted to that packet

c.Output Chain:

This chain is applied on the packet when it is destined for another location.

Here it follows First Match rule, which means if a rule matches the packet then all the actions of that particular rule are adopted and further processing of the chain stops,

Filter tables perform the actions of the chains in order to filter the data like ACCEPT, DROP, REJECT,LOG actions. In accept action, packet is accepted and has given permission. IN DROP action packet will be dropped and stops further processing. In REJECT action which is similar to the drop action and also an error message is sent to host. Finally in LOG action log data is collected for the packets which have permitted.

The NAT table:

It is the second table in IPTable system, like in filter table it has three chains in its configuration


This chain is implemented before the arrival of the packet to the kernel in order to make the routing decisions for the packet.


This chain is implemented after the arrival of the packet to the kernel to make routing decisions for the packet

c.OUTPUT Chain:

This chain is implemented when packet leaves the IPTable.

NAT table performs the actions just like in filter table and it does some more actions like SNAT,DNAT,MASQUERADE.In SNAT action packets source address is changed according to its specifications and it is applied in POSTROUTING only .In DNAT packets destination address is changed according to the specification and it is applied in PREROUTING AND OUTPUT chains. In MASQUERADE packets source address is changed and maps the ip address of the outgoing interface, since it is designed for NATing dynamic connections.

The Mangle Table:

It is the final table in IPTable and it is configured with chains just like in previous IPTables.


In this packet is manipulated before routing decisions are made

It has three actions like MARK, TOS, and TTL.In MARK action packet should be flagged to know the matching of other chains. In TOS action, it represents the manipulation in Type of Service field of the packet header. In TTL action it represents manipulations in the Time to live field of packet header.

IPTable provides trcking for the entire datastreams than filtering individual packets known as connection tracking. Which is useful in firewalling the system.


IPTables/Netfilter framework supports strong toolkit for development of network security systems.Network administrators utilizes IPTables to develop comprehensive firewall with minimum effort.


Network Intrusion Detection Systems (NIDSs) plays a vital role in security policies.There are two approaches in order detect malicious activity they are Anomaly Detection and the other is misuse- detection systems.Bro originated as research system which supports both the approaches. Its integrated signature matcher supports snort's capabilities. Bro follows the communication between two endpoints and reconstruct the semantics of the connection, it provides obsolute information .The main of the Bro is to separate mechanism and policy, to defer attacks.Bro consists of three pats packet capture, policy -neutral event engine, policy layer. Linux supports the Bro and tested with Ubuntu, Debian, Redhat,SUSE.

Working of Bro:

Bro sends up a copy of all network traffic and the lowest layer passes actual network packets to event engine by using library libpcap which is used in various link technologies as interface. The event engine has several analyzers like signature mapping, anomaly detection and application layer decoding and the packet get analyzed by connection, decodes application layer protocol. Since the event engine itself a policy-neutral, policy script processes and incorporates context from past events and executes the program as a form of response


While configuring Bro creates different directories to support programs and binary bin is created. For additional support of scripts, script directory is create. policy directory is created in which the files which are assigned with Bro .Moreover the files in policy directory are unable to edit. It contains default signature files policy/sigs,site directory is created for default location of site customization.var directory is the location to write PDI file. Reports archive directory is created for email reports and for storage of older log files.etc is the location where bro.cfg and bro.rc start script are located.


Bro is powerful network intrusion detection system with robustness, efficiency, and separation of policy and mechanisms.Bro compresses high volume traffic streams to low-volume traffic stream events for cpu processing.