Language Selection

English French German Italian Portuguese Spanish

SELinux: Comprehensive security at the price of usability

Filed under
Linux

Operating system security revolves around controlling access. Linux distributions subscribe to the Discretionary Access Control (DAC) mechanism that lets resource owners decide who gets to access the resource and how. People soon realized that DAC is not an ideal solution, as it gives applications the same privileges of the user running them. One compromised application running as root effectively compromises the full system. This led security experts to develop Mandatory Access Control (MAC), which grants access to resources as defined by a security policy, regardless of the user running the application. The Security Enhanced Linux (SELinux) project is the first mainstream implementation of MAC.

The benefit of SELinux is twofold. First, it replaces the user-based model with a policy-centric model. Every action, like running an application or reading and modifying data, is controlled by a security policy. Actions that violate the policy are denied. Additionally, SELinux compartmentalizes the various applications and processes running on the system. This not only helps in isolating a break-in, but also confines the damage caused by one compromised service.

SELinux plugs into the Linux distribution through the Linux Security Module (LSM) hooks, which are available in the 2.6.x kernel series. LSM was designed to integrate security models to work with the kernel, instead of applying them as a patch.

Full Story.

More in Tux Machines

Leftovers: Gaming

10 Great Plasma Widgets for KDE with Screenshots

Since the introduction of Plasma widgets in KDE4, the whole desktop took a new direction, starting to become a more interactive way to communicate with the user, to say nothing about the fact that a desktop with widgets will look more beautiful than a plain, icon-only desktop. Read more

OPNFV Adds Chinese Telecom to Open Source NFV/SDN Partnership

The Linux Foundation's OPNFV project won a significant endorsement this week from China-based ZTE Corporation, which stands to increase the global reach of the open source network functions virtualization (NFV) and software-defined networking (SDN) initiative. Based in Shenzen, China, ZTE is a major manufacturer of telecom... Read more

Elive 2.4.5 beta released

The Elive Team is proud to announce the release of the beta version 2.4.5 Read more