|
Source: www.ibm.com - Posted by Paul VonBurg
|
SELinux is a mandatory access control (MAC) system available in Linux kernels as of version 2.6. Of the Linux Security Modules available, it is the most comprehensive and well tested, and is founded on 20 years of MAC research. SELinux combines a type-enforcement server with either multi-level security or an optional multi-category policy, and a notion of role-based access control. See the Resources section later in this article for links to more information about these topics.
Most people who have used SELinux have done so by using an SELinux-ready distribution such as Fedora, Red Hat Enterprise Linux (RHEL), Debian, or hardened Gentoo. These enable SELinux in the kernel, offer a customizable security policy, and patch a great number of user-land libraries and utilities to make them SELinux aware.
(Editorial comment: EnGarde Secure Linux is an SELinux-ready distibution)
If you're like many users who simply want the system to work as before, but a bit more securely, you can query and manipulate SELinux by using familiar applications and by writing security policies using a higher level language. However, these methods can be insufficient when something breaks -- such as when kernel and user-space get out of sync. Also, these methods might even hinder the UNIX® engineer from understanding how SELinux is actually working. Finally, the engineer and the security community should understand that there are appropriate ways to use SELinux outside of the conventions in use by current distributions.
In this article, learn how to convert a system that is initially completely unaware of SELinux into one that enforces SELinux. You also learn how to enforce a few simple access policies.
Read this full article at www.ibm.com
Powered by AkoComment! |
