rw-r-r- clints clints system_u:object_r:user_home_dir_t:s0 (2).bash_logout You might note that if you run 'ls -Z' on your home directory you'd see something like this The policy can look at any one fo these component parts of the context and evaluate whether the process can access the file based upon user, a specific role, type, sensitivity or some category definition In general, we can think of each of the components as another layer where the policy can enforce rules If, however, that process is not allowed by policy it is deniedĪlso, if there is no policy rule for that particular process/file, the action is deniedĮach process has a context and each file has a context So the policy says, here's the rule for that process accessing that file, if it's allowed, then the normal permissions apply This also goes for ports, links, and many other elements in a Linux system regarding unconfined processes (server stuff) running on the system This security context is part of a policyĪnd the policy defines the rules as to which processes can access which files Provides this functionality where instead of standard permissions, we have what's typically called a security context LinuxCode: it's fine, questions are good. Shouldnt questions/comments be directed at the end ?Īnd it's possible that the process could perform an exploit on an unsecured application I think the main point is that without selinux any process you run has all of your access rights.
#Savage xr wiki mac
This is where MAC - Mandatory Access Control comes in. What about processes accessing thing that while they have permissions to access, shouldn't be accessingįor instance, should the named (DNS daemon) be accessing files within apache?ĭomg472_: right, something we don't want to happen * nirik notes that this is page 3 on the pdf. It's pretty much the same it was back then and will continue to do a good job of protecting our boxen The thing about DAC is that it's really what we've been using for 20+ years
JamesB192_thekky: ACLs stands for Access Control Lists and is a supplementary feature of many filesystems The simple rwx permissions, SUID SGID, etc VileGent: k, that was the first change, and thank you This is traditional Linux/Unix type file perms SELinux can protect local filesystems even better, providing tools to make it easy to use the applications without fear of attacks on the system Processes check the permissions of a file and make sure they have rights to access the file. In Unix we've always had the rwx permissions, which has been pretty good to us Thing is, it's really intended for network security Iptables has been around for some time and does a great job on the network One of the things that is interesting about security in Linux is the many ways to protect your boxen Linuxguru: right, Security Enhanced Linux One fo the major functionalities that came out of this was SELinux Well, a few years back, the NSA designed a set of rules that would help in keeping their confidential information safe.
#Savage xr wiki free
If you have questions, please feel free to jump in. I'll be pretty much following the flow there. !- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo - See Communicate/IRC/Classroom for more info
#Savage xr wiki pdf
So for those of you who might have missed it, I have slides upįrom that link you can get either pdf or odp I work for a small Linux training company in Utah called Guru Labs. Hi all, my name is Clint Savage, and I am North American Fedora Ambassador western USA region. Without further jabbering, I will hand things off to herlo. \nick note that I will be logging the classes for posting on the our first class up today is SElinux Basics. they will say when they start their session. if you have general fedora questions, #fedora is open for business as you want some more social chatting, #fedora-social is open for teachers may want you to hold questions, and some will want you to just chime in. IRC Log of the Class -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - Introduction - See Communicate/IRC/Classroom for more few general guidelines: Please try to keep on topic. Fedora Classroom - SELinux Basics - Clint Savage - Saturday, November 7, 2008
0 kommentar(er)
