SELinux in Fedora Core 4?
Matthew Carpenter
matt
Thu Feb 2 22:11:49 PST 2006
On Monday 16 January 2006 13:48, A. Khattri wrote:
> On Sat, 14 Jan 2006, Man-wai CHANG wrote:
> > So SElinux is just a different kind of Webmin
> > in my opinion.
>
> What you're saying makes no sense (which is why a lot of us said "Huh?"
> and "what are you talking about").
>
> 1. Webmin is a web-based interface for systems admin.
>
> 2. SELinux is a security system that works with the kernel to
> provide security policies, access control and various other
> security features.
If I may add on to the SELinux discussion for a second...
SELinux allows for the setting of security policies for the workings of a
Linux box. More specifically, various resources of the OS are considered
"objects", and those "objects" have policies applied to them to allow or
restrict *behavior*....
For example, most security discussions about typical OSes is about what Users
are allowed to do and what ports are open to the network.... SELinux, allows
one to define whether a process is able to open a port, and even specifically
*which* port a process is allowed to open, what processes are allowed to
communicate with other processes, etc....
Instead of the arcane model we all know and love, SELinux takes another step
into the future of security to allow more depth of control (and the policies
allow each box to be configured as it makes sense). In a way, this is a bit
like Cisco's CSA and McAfee's Intruvert, which have some behavioral HIDS
(host-based intrusion detection) and blocking. SELinux is definitely worth
looking into. I would imagine that there will be a few well-vetted policies
available on the Internet for specific use machines (Web server, Proxy
server, File&Print, Workstation, etc...) within a year or two. The
capabilities are quite sweet.
As for your observed behaviors, it is likely the kernel is compiled with
SELinux for boot protection, but when the configured SELinux policy is
applied sometime during the bootup, the restrictions are lifted.
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20060202/02ed2e3f/attachment.pgp
More information about the Linux-users
mailing list