Language Selection

English French German Italian Portuguese Spanish

SELinux: Comprehensive security at the price of usability

Filed under
Linux

Operating system security revolves around controlling access. Linux distributions subscribe to the Discretionary Access Control (DAC) mechanism that lets resource owners decide who gets to access the resource and how. People soon realized that DAC is not an ideal solution, as it gives applications the same privileges of the user running them. One compromised application running as root effectively compromises the full system. This led security experts to develop Mandatory Access Control (MAC), which grants access to resources as defined by a security policy, regardless of the user running the application. The Security Enhanced Linux (SELinux) project is the first mainstream implementation of MAC.

The benefit of SELinux is twofold. First, it replaces the user-based model with a policy-centric model. Every action, like running an application or reading and modifying data, is controlled by a security policy. Actions that violate the policy are denied. Additionally, SELinux compartmentalizes the various applications and processes running on the system. This not only helps in isolating a break-in, but also confines the damage caused by one compromised service.

SELinux plugs into the Linux distribution through the Linux Security Module (LSM) hooks, which are available in the 2.6.x kernel series. LSM was designed to integrate security models to work with the kernel, instead of applying them as a patch.

Full Story.

More in Tux Machines

Android Leftovers

Leftovers: Software

today's howtos

Running The AMD Radeon R9 Fury With AMD's New Open-Source Linux Driver

Now that Linux 4.2 is set to be released today, out on the horizon we have to look forward to Linux 4.3 kernel. Set to be merged into Linux 4.3 will be in the initial open-source AMD driver code for supporting the Radeon R9 Fury graphics cards. This open-source Fury support is the focus of our testing today with it being the first time powering up this Fiji GPU outside of Catalyst. Read more