[Novalug] Controlling unauthorized application usage in Linux
David A. Cafaro
dac@cafaro.net
Fri Mar 28 13:04:54 EDT 2008
Actually SELinux is deny by default. If you aren't on the list, you
don't get access to stuff.
That's actually one of the hard parts about SELinux, to make it work
on a system you have to write rules to allow everything to do what
you want it to do or it won't work. There are some ways to get
around this in your rules (by labeling everything the same and
granting permission to that same label), but at the heart of it
SELinux is a deny by default system, hence a MAC system (as in
Mandatory Access Control).
As for the security of it, you'll have to do the reading on that.
But it's very very well locked down, labeling is very strictly
controlled and follow the file/directory no matter where it goes on
the system.
-David
On Mar 28, 2008, at 12:57 PM, Ben Creitz wrote:
>
> I will have to look into this area of SELinux and related technology
> (AppArmor). My limited understanding was that these are useful for
> controlling what a known process or set of processes actually does re:
> launching other processes, accessing FS, etc. I will need to look
> into the possibility of an SELinux policy that simply says "programs
> not in this list do not run, period" or "only these programs run", and
> look at the ways that SELinux actually identifies those programs, and
> how a user would bypass the control by changing the way that the
> prohibited app is being identified... i.e. are they running their own
> binary from their own home directory, compiled with flags to use non
> standard file locations.
>
> Ben
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
David A. Cafaro <dac@cafaro.net>
Cafaro's Ramblings: www.cafaro.net
More information about the Novalug
mailing list