Summary and analysis of SELinux related knowledge

Mobile 2023-07-30 11:25:29 views: null

What is Android SElinux?

SELinux is a 基于 域-类型 模型(domain-type)的强制访问控制(MAC)安全系统system that enforces control of process access to system resources and provides role-based and multi-level security access control policies. What it wants to control is not only the user, but the process level. SELinux提供了比传统的UNIX权限更好的访问控制.

Using SELinux, we can specify that only processes that meet certain conditions can access related system resources, so that even if the user runs an attack program or runs as root, it cannot access files that are not authorized by SELinux.

It works as follows:
insert image description here

Which version has selinux enabled by default?

Userdebug version and eng version are disabled by default;
user is enabled by default;

How to confirm whether the problem is caused by selinux by means of debugging?

  1. Adjust the SELinux mode to Permissive mode, and then test to see if it is related to SELinux constraints.
  2. If the problem can be reproduced, it has nothing to do with SELinux. If it is easy to reproduce, but the Permissive mode can no longer reproduce, then it may be more related.
  3. adb modifies seLinux online:
getenforce  //获取当前seLinux状态
	Enforcing ://表示已打开 
	Permissive ://表示已关闭

setenforce 1 //打开seLinux
setenforce 0 //关闭seLinux

SELinux consists of five basic components:

  1. Auxiliary module for working with filesystems, namely SELinuxFS.
  2. Integrate hooks sets of Linux Security Modules.
  3. Security Policy Database.
  4. Security Label verification module.
  5. Access Vector Cache (AVC), access vector cache to improve verification speed.

The specific process is as follows:

  1. A process accesses a certain resource through a system call (System Call), and after entering the Kernel, it will do basic detection first, and return directly if there is an exception.
  2. Linux Kernel DAC review, return directly if abnormal.
  3. Call the relevant hooks of Linux Kernel Modules, connect to the hooks of SELinux, and then perform MAC verification, and return directly if there is an exception.
  4. Access real system resources.
  5. Return to the user mode and return the structure.

Note: enforcing mode (restricted access); permissive mode: (only review permissions, no restrictions)

Guess you like

Origin blog.csdn.net/weixin_45639314/article/details/131308693
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com