Language Selection

English French German Italian Portuguese Spanish

SELinux: Comprehensive security at the price of usability

Filed under
Linux

Operating system security revolves around controlling access. Linux distributions subscribe to the Discretionary Access Control (DAC) mechanism that lets resource owners decide who gets to access the resource and how. People soon realized that DAC is not an ideal solution, as it gives applications the same privileges of the user running them. One compromised application running as root effectively compromises the full system. This led security experts to develop Mandatory Access Control (MAC), which grants access to resources as defined by a security policy, regardless of the user running the application. The Security Enhanced Linux (SELinux) project is the first mainstream implementation of MAC.

The benefit of SELinux is twofold. First, it replaces the user-based model with a policy-centric model. Every action, like running an application or reading and modifying data, is controlled by a security policy. Actions that violate the policy are denied. Additionally, SELinux compartmentalizes the various applications and processes running on the system. This not only helps in isolating a break-in, but also confines the damage caused by one compromised service.

SELinux plugs into the Linux distribution through the Linux Security Module (LSM) hooks, which are available in the 2.6.x kernel series. LSM was designed to integrate security models to work with the kernel, instead of applying them as a patch.

Full Story.

More in Tux Machines

Ubuntu Touch OTA-4 Update to Let Users Import SIM Contacts

A fresh OTA update is being prepared for Ubuntu Touch, and it should land soon. Developers have released some of the most important improvements that will be implemented in the upcoming release. Read more

Fedora Tools

  • Future Plans For Changing Fedora's Installer
    Over the last couple weeks there has been an "Anaconda Wishlist" thread occurring on Fedora's desktop mailing list. The thread, and the associated Workstation Working Group meeting, are directed at the future of the Fedora Anaconda Installer.
  • Tweak Your Fedora 22 Desktop Using Fedy And PostinstallerF
    None of the Linux distributions comes with all essential applications for daily usage, Agree? You have to install additional Repositories, softwares like Chrome, Flash player, Java or something in order to get a perfect distro for the daily usage. We can do it in two methods. First, you can manually search and install all the required softwares one by one, and the second one is you can use a tool that will help you to find and install all essential applications from one place. Which method would you prefer? I prefer the second method most, not because it is easy, but also it saves some time.
  • 27 ‘DNF’ (Fork of Yum) Commands for RPM Package Management in Linux

Red Hat CEO: Public cloud "obscenely expensive at scale"

Whitehurst believes Amazon Web Services (AWS) makes sense for test and dev, but it can't compete with private cloud at scale. Do you agree? Read more Also:

Intel Gets 'Clear' About Linux and Containers

Imad Sousou, VP in Intel's Software and Services Group and GM of the Intel Open Source Technology Center, discusses the Clear Linux and Clear container efforts. Read more