Access control policies are critical to ensuring the security of operating systems. SELinux enforces strict security policies by precisely controlling the access rights of subjects to objects, thereby effectively preventing unauthorized access and privilege abuse. However, with the continuous evolution of software and system resources, SELinux policies also need to be dynamically updated. On one hand, traditional manual approaches to policy updating and configuration suffer from low efficiency and a high propensity for errors. On the other hand, although existing policy generation methods have simplified policy management to some extent, the large scale and semantic complexity of SELinux policies result in significant limitations in terms of their adaptability. To address these challenges, this paper proposes a knowledge graph-based method for SELinux policy generation. The approach begins by extracting relevant files from the SELinux system and initializing them for processing. It then models policy information in the form of knowledge graph and mines potential new rules from audit logs by five classifiers which combine machine learning and knowledge graph completion techniques. Finally, the new rules are subjected to conflict detection and resolution to produce updated policies. Experimental results demonstrate that the proposed method can effectively learn new rules from audit logs to optimize SELinux policies and enrich the SELinux policy knowledge graph.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Dynamic Generation Method of SELinux Policy Based on Knowledge Graph

  • Jin Li,
  • Yina Hou,
  • Jiaxin He,
  • Hanyv Wang

摘要

Access control policies are critical to ensuring the security of operating systems. SELinux enforces strict security policies by precisely controlling the access rights of subjects to objects, thereby effectively preventing unauthorized access and privilege abuse. However, with the continuous evolution of software and system resources, SELinux policies also need to be dynamically updated. On one hand, traditional manual approaches to policy updating and configuration suffer from low efficiency and a high propensity for errors. On the other hand, although existing policy generation methods have simplified policy management to some extent, the large scale and semantic complexity of SELinux policies result in significant limitations in terms of their adaptability. To address these challenges, this paper proposes a knowledge graph-based method for SELinux policy generation. The approach begins by extracting relevant files from the SELinux system and initializing them for processing. It then models policy information in the form of knowledge graph and mines potential new rules from audit logs by five classifiers which combine machine learning and knowledge graph completion techniques. Finally, the new rules are subjected to conflict detection and resolution to produce updated policies. Experimental results demonstrate that the proposed method can effectively learn new rules from audit logs to optimize SELinux policies and enrich the SELinux policy knowledge graph.