ROLE BASED ACCESS CONTROL WITH SELINUX

Abstract

In a typical healthcare information system, multiple users access data stored in different files related to patients. Healthcare organizations have to adhere to security regulations while storing sensitive data of patients and also providing access control to various users of the system, like doctor, administrators, nurses, pharmacists, pathologists etc. To provide secure access control, application layer security is already provided in the system to restrict access control for various users to classified information in Hospital Information System (HIS). Discretionary Access Control (DAC) is the most commonly implemented access control model to restrict access to resources at the OS layer. But these measures, application layer security and DAC, becomes insufficient in case of virus/malware attacks. This thesis investigates about providing Hierarchical Role based access control (RBAC) using SELinux to provide security using checks provided by SELinux at OS layer. SELinux provides Mandatory Access Control (MAC) mechanisms at the OS layer which can contain attack from compromised application and restrict access according to security policy implemented. The main contribution of this research is to provide a RBAC using SELinux to a typical Hospital Information System (HIS). The roles and the hierarchy have been defined for users in a typical HIS and security policy has been developed around this hierarchy to provide security to classified information in HIS to different roles. The feasibility of using SELinux profiles in HIS has been demonstrated through the creation of a prototype application, which was submitted to various attack scenarios. The prototype has also been subjected to testing during emergency scenarios, where changes to the security policies had to be made on the spot. Attack scenarios are based on vulnerabilities common at the application layer. SELinux demonstrates that it can effectively contain attacks at the application layer and provide adequate flexibility during emergency situations. Access control is decided on the role played by different users in the organization. It is similar to concept of groups in linux. It categorizes the groups of users and group of permissions as compared to user groups which define user sets.