[Novalug] Controlling unauthorized application usage in Linux

David A. Cafaro dac@cafaro.net
Fri Mar 28 13:04:54 EDT 2008


Actually SELinux is deny by default.  If you aren't on the list, you  
don't get access to stuff.

That's actually one of the hard parts about SELinux, to make it work  
on a system you have to write rules to allow everything to do what  
you want it to do or it won't work.  There are some ways to get  
around this in your rules (by labeling everything the same and  
granting permission to that same label), but at the heart of it  
SELinux is a deny by default system, hence a MAC system (as in  
Mandatory Access Control).

As for the security of it, you'll have to do the reading on that.   
But it's very very well locked down, labeling is very strictly  
controlled and follow the file/directory no matter where it goes on  
the system.

-David

On Mar 28, 2008, at 12:57 PM, Ben Creitz wrote:
>
> I will have to look into this area of SELinux and related technology
> (AppArmor).  My limited understanding was that these are useful for
> controlling what a known process or set of processes actually does re:
> launching other processes, accessing FS, etc.  I will need to look
> into the possibility of an SELinux policy that simply says "programs
> not in this list do not run, period" or "only these programs run", and
> look at the ways that SELinux actually identifies those programs, and
> how a user would bypass the control by changing the way that the
> prohibited app is being identified... i.e. are they running their own
> binary from their own home directory, compiled with flags to use non
> standard file locations.
>
> Ben
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug

David A. Cafaro <dac@cafaro.net>
Cafaro's Ramblings:  www.cafaro.net






More information about the Novalug mailing list