1e41f4b71Sopenharmony_ci# OpenHarmony SELinux Overview 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ci## Introduction 4e41f4b71Sopenharmony_ci 5e41f4b71Sopenharmony_ciOpenHarmony Security-Enhanced Linux (SELinux) provides mandatory access control (MAC) capabilities for system resources, such as files, parameters, system abilities (SAs), and Hardware Driver Foundation (HDF) services, based on the system architecture characteristics and SELinux. This topic describes how to develop the OpenHarmony SELinux features based on the SELinux access control model. 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ciOpenHarmony SELinux provides the following functionalities: 8e41f4b71Sopenharmony_ci 9e41f4b71Sopenharmony_ci- Access control for parameters, SAs, and HDF services. 10e41f4b71Sopenharmony_ci- Setting of application labels. 11e41f4b71Sopenharmony_ci- Security policy compiling and loading. 12e41f4b71Sopenharmony_ci- Security context compiling and loading. 13e41f4b71Sopenharmony_ci- Policy validity check during compilation. 14e41f4b71Sopenharmony_ci 15e41f4b71Sopenharmony_ci## Basic Concepts 16e41f4b71Sopenharmony_ci 17e41f4b71Sopenharmony_ci- Security context 18e41f4b71Sopenharmony_ci 19e41f4b71Sopenharmony_ci Security contexts are also referred to as SELinux labels. An OpenHarmony SELinux context is in the **user:role:type:sensitivity[:category,...]- sensitivity [:category,...]** format, where: 20e41f4b71Sopenharmony_ci - **user**: user type. For example, **user u roles { r }** indicates the user **u** who is authorized for role **r**. 21e41f4b71Sopenharmony_ci - **role**: role identifier, which defines the types that can be accessed by a process. It is **object_r** for the user type of resources such as files, parameters, SA services, and HDF services, and **r** for the user type of processes. 22e41f4b71Sopenharmony_ci - **type**: SELinux type. In SELinux rule statements, **type** specifies the rule. 23e41f4b71Sopenharmony_ci - **sensitivity**: multi-level security (MLS) level. Different security levels are isolated. Currently, OpenHarmony SELinux supports only the security level **s0**. 24e41f4b71Sopenharmony_ci - **category**: category of a specific sensitivity. Currently, OpenHarmony SELinux has defined categories **c0** to **c1023**, which are not distinguished for SELinux policies. 25e41f4b71Sopenharmony_ci 26e41f4b71Sopenharmony_ci- Subject 27e41f4b71Sopenharmony_ci 28e41f4b71Sopenharmony_ci A subject is an active entity that makes a request to access a resource (object). It can be a user, a process, a service, or an SELinux type. In OpenHarmony SELinux, process subjects are classified into native process, application process, SA process, and HDF process. 29e41f4b71Sopenharmony_ci 30e41f4b71Sopenharmony_ci- Object 31e41f4b71Sopenharmony_ci 32e41f4b71Sopenharmony_ci An object is the resource to access. It can be a file, directory, parameter, SA, or HDF service. 33e41f4b71Sopenharmony_ci 34e41f4b71Sopenharmony_ci- SID 35e41f4b71Sopenharmony_ci 36e41f4b71Sopenharmony_ci Security ID (SID or sid) is a unique identifier of a process, a file, or an SELinux object. 37e41f4b71Sopenharmony_ci 38e41f4b71Sopenharmony_ci- AVC 39e41f4b71Sopenharmony_ci 40e41f4b71Sopenharmony_ci Access Vector Cache (AVC) is used to trace and cache information about access control decisions to improve system performance and security. 41e41f4b71Sopenharmony_ci 42e41f4b71Sopenharmony_ci- TE 43e41f4b71Sopenharmony_ci 44e41f4b71Sopenharmony_ci An SELinux policy consists of multiple type enforcement (TE) rules. 45e41f4b71Sopenharmony_ci 46e41f4b71Sopenharmony_ci- Running mode 47e41f4b71Sopenharmony_ci 48e41f4b71Sopenharmony_ci OpenHarmony SELinux can run in either of the following modes: 49e41f4b71Sopenharmony_ci + Enforcing mode: Permission denials are both enforced and logged with an AVC alarm. 50e41f4b71Sopenharmony_ci + Permissive mode: Permission denials are logged with an AVC alarm but not enforced. 51e41f4b71Sopenharmony_ci 52e41f4b71Sopenharmony_ci## Working Principles 53e41f4b71Sopenharmony_ci 54e41f4b71Sopenharmony_ciOpenHarmony SELinux uses the security contexts of the subject and object to determine whether the subject can access the object and intercepts unauthorized behavior in kernel mode. 55e41f4b71Sopenharmony_ci 56e41f4b71Sopenharmony_ci**Figure 1** OpenHarmony SELinux architecture 57e41f4b71Sopenharmony_ci 58e41f4b71Sopenharmony_ci 59
