![]() By default under a strict enforcing setting, everything is denied and then a series of exceptions policies are written that give each element of the system (a service, program or user) only the access required to function. SELinux follows the model of least-privilege more closely. Many processes that are launched by root later drop their rights to run as a restricted user and some processes may be run in a chroot jail but all of these security methods are discretionary. Processes inherit user's rights: Firefox, if compromised by a trojaned version, could read a user's private ssh keys even though it has no reason to do so.Įssentially under the traditional DAC model, there are two privilege levels, root and user, and no easy way to enforce a model of least-privilege. Processes can change security properties: A user's mail files should be readable only by that user, but the mail client software has the ability to change them to be world readable.For example:Īdministrators have no way to control users: A user could set world readable permissions on sensitive files such as ssh keys and the directory containing such keys, customarily: ~/.ssh/ Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. ![]() These enhancements mean that content varies as to how to approach SELinux over time to solve problems. SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |