SElinux is an impressively designed but notoriously hard-to-configure set of kernel hooks that enforce Orange Book-style security on Linux. Full support for SELinux takes effort, but when I first heard about Fedora's new targeted policies for SELinux, I was willing to tell the Red Hat folks "thanks, but no thanks." A conversation with their Dan Walsh changed my mind. The orginal SELinux approach was that anything not expressly permitted was forbidden. Technically, this meant that every program anybody would ever run had to be configured with a policy that indicated what files it could touch, who could run it, and every other aspect of the program that might present a risk. Practically, this meant that you'd start your system and find that some obscure daemon wasn't running--and the only diagnostic aid you had was a few lines listing process IDs and inodes. It didn't help that all the resources (files and so forth) had to be tagged accurately, along with programs and users.
Read this full article at OreillyNet
|
|
Only registered users can write comments.
Please login or register.
Powered by AkoComment!