I-Space Research Labs

SELinux

The coolness of SELinux

by on Aug.17, 2009, under SELinux, Tech Stuff

selinuxAfter spending a week in Washington learning the darkest secrets of SELinux, I can see why a lot of people “just turn it off”. This is terrible. SELinux can save your @$$ in the event that you get hit with a 0-day. Most admins don’t understand SELinux, other than that “it breaks stuff”, and just disable it. It’s understandable, since most people don’t work for the DoD or other agencies where Mandatory Access Controls are used. SELinux is not Discretionary Access Control Lists (DACLs) like in Windows, or UGO- style controls in Unix… or even POSIX ACLs. SELinux labels are much more powerful. Properly configured and running, SELinux can prevent root from doing everyday root things like cat’ing /etc/shadow. So imagine what SELinux can do if someone pops your webserver. Without SELinux, they would have the access privileges of the Apache user. But with SELinux, they can only access files and ports that the underlying httpd process is allowed to access.

So let’s try to pull the veil of mystery back on SELinux…. (continue reading…)

Leave a Comment : more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...