| The introduction of mandatory access control mechanism into operating systerm makes the operating system's security largely improved. Development of SELinux led by U.S. National Security Agency (NSA), supports Role-Based Access Control model, Type-Enhanced security model and an optional Multi-Level security model. However, SELinux security policy configuration is complex, which has caused great difficulties to implementation and maintenance of security for Linux users.This paper aims to explore possible methods and techniques used to reduce the Linux user security policy configuration management workload and complexity. Two aspects need to be considered, first is how to facilitate and simplify the user security policy configuration building operation; second is how to ensure the correctness of the security policy configuration and reliability. SELinux related research paper by tracking the results, includes the SELinux security architecture and security model supported, especially in the example provided by the NSA policy analysis; security policy configuration is given the basic process of building, forming the basic security policy configuration structure. In addition, the editing process provides a scalable security policy configuration tree structure display type mechanism, security policy can be clearly demonstrated and even the security policy configuration source files intrinsic link between configuration items. To ensure the correctness of the security policy configuration and reliability, the paper also discussed the access control space, consistency of inspection methods, consider the security policy configuration in the process of completion or even the introduction of the so-called static or dynamic checking mechanism.The paper introduces the basic design of SELinux security policy configuration tool, the key modules of the prototype and implementation process of SELinux security policy configuration.Finally, the paper summarizes the relevant research work, makes some recommendations to follow-up, and directions of future research are suggested. |
PDF Full Text Request