Language Selection

English French German Italian Portuguese Spanish

SELinux: Comprehensive security at the price of usability

Filed under
Linux

Operating system security revolves around controlling access. Linux distributions subscribe to the Discretionary Access Control (DAC) mechanism that lets resource owners decide who gets to access the resource and how. People soon realized that DAC is not an ideal solution, as it gives applications the same privileges of the user running them. One compromised application running as root effectively compromises the full system. This led security experts to develop Mandatory Access Control (MAC), which grants access to resources as defined by a security policy, regardless of the user running the application. The Security Enhanced Linux (SELinux) project is the first mainstream implementation of MAC.

The benefit of SELinux is twofold. First, it replaces the user-based model with a policy-centric model. Every action, like running an application or reading and modifying data, is controlled by a security policy. Actions that violate the policy are denied. Additionally, SELinux compartmentalizes the various applications and processes running on the system. This not only helps in isolating a break-in, but also confines the damage caused by one compromised service.

SELinux plugs into the Linux distribution through the Linux Security Module (LSM) hooks, which are available in the 2.6.x kernel series. LSM was designed to integrate security models to work with the kernel, instead of applying them as a patch.

Full Story.

More in Tux Machines

Intel Skylake Audio Support For Linux 3.19

Intel's next-generation Skylake processors are starting to take shape with the Linux 3.19 kernel. Linux 3.19 lands initial Skylake graphics support within the Intel DRM drivers (there's already initial support on the user-space side too within Mesa) and there's Skylake MPX support among other Skylake related work that's been merged for 3.19. Read more

MIPS R6 Architecture Now Supported By GCC

The latest feature that's landed for the GCC 5 compiler due out next year is MIPS R6 support for both 32-bit and 64-bit. As of yesterday, there's MIPS32R6 and MIPS64R6 support in GCC. The new MIPS R6 CPU architecture support was contributed by Imagination Technologies themselves. MIPS Release 6 features new instructions aimed for enhancing performance for JIT, JavaScript, browsers, PIC for Android, and large workload applications. The MIPS R6 architecture was announced a few months ago and the first products based on the updated MIPS ISA are their new Warrior processors. Read more

Ubuntu Touch to Land with Bq Aquaris e4.5 Phones in February

The first two companies that have been confirmed to release phones with Ubuntu Touch are Meizu and Bq. Until now, only Meizu showed any kind of involvement with Ubuntu Touch and they were the first to announce a launch window. On the other hand, Bq has been silent, but it seems to have been very busy and to be the first one out the door. Read more

Linux 3.19 Merge Window Closes Ahead Of Schedule

Linus announced on Friday night that he's closing the merge window early for 3.19. Torvalds said that he's pulling the last of the pull requests on Saturday -- related to KBuild and the READ_ONCE split-up -- but is planning to then close the merge window. Read more