CN-121984762-A - Access control method, device, equipment and storage medium

Abstract

The application discloses an access control method, an access control device, access control equipment and a storage medium, and belongs to the technical field of network management and control. The method comprises the steps of responding to the received access control requirement, configuring an XML file based on the access control requirement, and analyzing the XML file by adopting an automatic generation engine to generate a SELinux configuration. The application reduces the error risk caused by manual intervention while maintaining the MAC precision, and the labor cost, can assist operation and maintenance personnel to efficiently and accurately complete the deployment of the SELinux strategy, improves the system safety, and solves the technical problems of high control configuration complexity and easy error operation after the network management system starts the SELinux in the prior art.

Inventors

• LI ZHUO

Assignees

• 烽火通信科技股份有限公司

Dates

Publication Date

20260505

Application Date

20260206

Claims (10)

1. 1. An access control method, comprising: In response to receiving an access control requirement, configuring an XML file based on the access control requirement; And analyzing the XML file by adopting an automatic generation engine to generate a SELinux configuration.
2. 2. The method of claim 1, wherein configuring the XML file based on the access control requirements comprises: acquiring corresponding predefined labels based on the access control requirements; and defining type metadata by adopting an XML tree structure based on the predefined tag, and declaring a host-client strategy to obtain the XML file.
3. 3. The access control method according to claim 2, wherein the parsing the XML file with an automated generation engine to generate a SELinux configuration comprises: analyzing the XML file, and compiling to generate a SELinux kernel file; And modifying the security context of the host and the guest in the SELinux kernel file based on the analysis result of the XML file, and creating a SELinux user configuration file.
4. 4. The access control method according to claim 3, wherein the parsing and compiling the XML file to generate a SELinux kernel file includes: and mapping XML nodes of the XML file into SELinux syntax elements, and generating a type inheritance relation graph to obtain the SELinux kernel file.
5. 5. The access control method according to claim 3, wherein parsing the XML file, compiling to generate a SELinux kernel file further comprises: And eliminating redundant information in the type metadata and the main client policy.
6. 6. The access control method according to claim 4 or 5, wherein the parsing and compiling the XML file generate a SELinux kernel file, further comprises: and identifying and processing conflicting authority configurations in the configuration of the XML file.
7. 7. An access control method according to claim 3, wherein said creating a SELinux user profile comprises: acquiring the corresponding relation between an operating system user and the role configured in the SELinux kernel file based on the predefined user mapping configuration; And generating and configuring the SELinux user configuration file according to the corresponding relation.
8. 8. An access control apparatus, comprising: An XML configuration unit for responding to the received access control requirement and configuring an XML file based on the access control requirement; and the XML analysis unit is used for analyzing the XML file by adopting an automatic generation engine to generate a SELinux configuration.
9. 9. An electronic device comprising a memory, a processor, the processor being configured to read and execute a computer program stored in the memory to implement the steps of the access control method of any one of claims 1-7.
10. 10. A computer readable storage medium having stored therein computer executable instructions which when executed implement the steps of the access control method of any of claims 1-7.

Description

Access control method, device, equipment and storage medium Technical Field The present application belongs to the field of network management and control technologies, and in particular, to an access control method, apparatus, device, and storage medium. Background Network security is a key component of a network management and control system (hereinafter referred to as a network management system). Current network management systems only support autonomous access control (DAC), lacking Mandatory Access Control (MAC) capabilities. Because the SELinux strategy configuration grammar is obscure and the logic is complex, in a network management environment with huge system scale and numerous resources, configuration omission or errors are very easy to occur when custom rules are directly written, thereby causing system resource access abnormality, affecting the whole function operation and even causing network management service failure. Therefore, there is a need for a large system solution that can flexibly configure access control to assist operation and maintenance personnel in efficiently and accurately completing SELinux policy deployment. Disclosure of Invention The application provides an access control method, an access control device and a storage medium, which can solve the technical problems of high control configuration complexity and easy operation error after a network management system in the prior art starts SELinux. In order to achieve the above purpose, the present application provides the following technical solutions: An access control method, comprising: In response to receiving an access control requirement, configuring an XML file based on the access control requirement; And analyzing the XML file by adopting an automatic generation engine to generate a SELinux configuration. Optionally, in an embodiment, the configuring an XML file based on the access control requirement includes: acquiring corresponding predefined labels based on the access control requirements; and defining type metadata by adopting an XML tree structure based on the predefined tag, and declaring a host-client strategy to obtain the XML file. Optionally, in an embodiment, the parsing the XML file with an automated generation engine to generate a SELinux configuration includes: analyzing the XML file, and compiling to generate a SELinux kernel file; And modifying the security context of the host and the guest in the SELinux kernel file based on the analysis result of the XML file, and creating a SELinux user configuration file. Optionally, in an embodiment, the parsing the XML file, compiling to generate a SELinux kernel file includes: and mapping XML nodes of the XML file into SELinux syntax elements, and generating a type inheritance relation graph to obtain the SELinux kernel file. Optionally, in an embodiment, the parsing the XML file, compiling to generate a SELinux kernel file further includes: And eliminating redundant information in the type metadata and the main client policy. Optionally, in an embodiment, the parsing, compiling and generating a SELinux kernel file of the XML file further includes: and identifying and processing conflicting authority configurations in the configuration of the XML file. Optionally, in an embodiment, the creating a SELinux user profile includes: acquiring the corresponding relation between an operating system user and the role configured in the SELinux kernel file based on the predefined user mapping configuration; And generating and configuring the SELinux user configuration file according to the corresponding relation. Based on the same inventive concept, an embodiment of the present application further provides an access control apparatus, including: An XML configuration unit for responding to the received access control requirement and configuring an XML file based on the access control requirement; and the XML analysis unit is used for analyzing the XML file by adopting an automatic generation engine to generate a SELinux configuration. Based on the same inventive concept, the embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the processor is used for reading and executing the computer program stored in the memory so as to realize the steps of the access control method. Based on the same inventive concept, the embodiments of the present application further provide a computer storage medium, in which computer executable instructions are stored, which when executed implement the steps of the aforementioned access control method. Compared with the prior art, the application has the following advantages: According to the access control method, the device, the equipment and the storage medium, when the access control requirement is received, the configuration of the XML file is carried out based on the access control requirement, the minimum access control rule is defined through the structured XML, the cognitive