Thu Mar 28 10:30:51 2024
EVENTS
 FREE
SOFTWARE
INSTITUTE

POLITICS
JOBS
MEMBERS'
CORNER

MAILING
LIST

NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2015-05-01

LEARN

2024-03-28 | 2024-02-28 | 2024-01-28 | 2023-12-28 | 2023-11-28 | 2023-10-28 | 2023-09-28 | 2023-08-28 | 2023-07-28 | 2023-06-28 | 2023-05-28 | 2023-04-28 | 2023-03-28 | 2023-02-28 | 2023-01-28 | 2022-12-28 | 2022-11-28 | 2022-10-28 | 2022-09-28 | 2022-08-28 | 2022-07-28 | 2022-06-28 | 2022-05-28 | 2022-04-28 | 2022-03-28 | 2022-02-28 | 2022-01-28 | 2021-12-28 | 2021-11-28 | 2021-10-28 | 2021-09-28 | 2021-08-28 | 2021-07-28 | 2021-06-28 | 2021-05-28 | 2021-04-28 | 2021-03-28 | 2021-02-28 | 2021-01-28 | 2020-12-28 | 2020-11-28 | 2020-10-28 | 2020-09-28 | 2020-08-28 | 2020-07-28 | 2020-06-28 | 2020-05-28 | 2020-04-28 | 2020-03-28 | 2020-02-28 | 2020-01-28 | 2019-12-28 | 2019-11-28 | 2019-10-28 | 2019-09-28 | 2019-08-28 | 2019-07-28 | 2019-06-28 | 2019-05-28 | 2019-04-28 | 2019-03-28 | 2019-02-28 | 2019-01-28 | 2018-12-28 | 2018-11-28 | 2018-10-28 | 2018-09-28 | 2018-08-28 | 2018-07-28 | 2018-06-28 | 2018-05-28 | 2018-04-28 | 2018-03-28 | 2018-02-28 | 2018-01-28 | 2017-12-28 | 2017-11-28 | 2017-10-28 | 2017-09-28 | 2017-08-28 | 2017-07-28 | 2017-06-28 | 2017-05-28 | 2017-04-28 | 2017-03-28 | 2017-02-28 | 2017-01-28 | 2016-12-28 | 2016-11-28 | 2016-10-28 | 2016-09-28 | 2016-08-28 | 2016-07-28 | 2016-06-28 | 2016-05-28 | 2016-04-28 | 2016-03-28 | 2016-02-28 | 2016-01-28 | 2015-12-28 | 2015-11-28 | 2015-10-28 | 2015-09-28 | 2015-08-28 | 2015-07-28 | 2015-06-28 | 2015-05-28 | 2015-04-28 | 2015-03-28 | 2015-02-28 | 2015-01-28 | 2014-12-28 | 2014-11-28 | 2014-10-28

Key: Value:

Key: Value:

MESSAGE
DATE 2015-05-04
FROM Ruben Safir
SUBJECT Subject: [LIU Comp Sci] ACL and beyound security in linux
From owner-learn-outgoing-at-mrbrklyn.com Mon May 4 23:36:55 2015
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix)
id 912A81612F0; Mon, 4 May 2015 23:36:55 -0400 (EDT)
Delivered-To: learn-outgoing-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 28)
id 7C3421612F2; Mon, 4 May 2015 23:36:55 -0400 (EDT)
Delivered-To: learn-at-nylxs.com
Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89])
by mrbrklyn.com (Postfix) with ESMTP id D655C1612F0
for ; Mon, 4 May 2015 23:36:31 -0400 (EDT)
Received: from panix2.panix.com (panix2.panix.com [166.84.1.2])
by mailbackend.panix.com (Postfix) with ESMTP id 3ED1612C2F;
Mon, 4 May 2015 23:36:31 -0400 (EDT)
Received: by panix2.panix.com (Postfix, from userid 20529)
id 224C133C37; Mon, 4 May 2015 23:36:31 -0400 (EDT)
Date: Mon, 4 May 2015 23:36:31 -0400
From: Ruben Safir
To: Mohammed Ghriga
Cc: learn-at-nylxs.com
Subject: [LIU Comp Sci] ACL and beyound security in linux
Message-ID: <20150505033630.GA15006-at-panix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: owner-learn-at-mrbrklyn.com
Precedence: bulk
Reply-To: learn-at-mrbrklyn.com

Real security comes from far more than just control of specific
resources. I'm just saying that.

Now, with regards to tonights class on File Systems, there is a more
advanced set of tools

http://selinuxproject.org/page/Main_Page


SELinux Project Wiki

This is the official Security Enhanced Linux (SELinux) project page.
Here you will find resources for users, administrators, vendors and
developers.

For an account, send email to jmorris AT namei.org.
[edit] What is SELinux

SELinux is a security enhancement to Linux which allows users and
administrators more control over access control.

Access can be constrained on such variables as which users and
applications can access which resources. These resources may take the
form of files. Standard Linux access controls, such as file modes
(-rwxr-xr-x) are modifiable by the user and the applications which the
user runs. Conversely, SELinux access controls are determined by a
policy loaded on the system which may not be changed by careless users
or misbehaving applications.

SELinux also adds finer granularity to access controls. Instead of only
being able to specify who can read, write or execute a file, for
example, SELinux lets you specify who can unlink, append only, move a
file and so on. SELinux allows you to specify access to many resources
other than files as well, such as network resources and interprocess
communication (IPC).

For more information about SELinux see the FAQ and other resources
listed here.

FAQ
Contents

1 What is SELinux really?
2 How does SELinux work?
3 Do I have to write policies to use SELinux?
4 Where do I get these policies?
5 Who writes these policies?
6 Is SELinux a firewall?
7 Is it useful for a desktop?
8 Is SELinux enabled on my system?
9 Why should I use SELinux?
10 How do I disable SELinux?

[edit] What is SELinux really?

SELinux is an implementation of mandatory access controls (MAC) on
Linux. Mandatory access controls allow an administrator of a system to
define how applications and users can access different resources such as
files, devices, networks and inter-process communication.

With SELinux an administrator can differentiate a user from the
applications a user runs. For example, the user shell or GUI may have
access to do anything he wants with his home directory but if he runs a
mail client the client may not be able to access different parts of the
home directory, such as his ssh keys.

The way that an administrator sets these permissions is with the
centralized SELinux policy. The policy tells the system how different
components on the system can interact and use resources. The policy
typically comes from your distribution but it can be updated on the end
system to reflect different configurations or application behavior.
[edit] How does SELinux work?

Though it uses multiple security models to do its job, the type
enforcement model is most important to SELinux. A type is a way of
classifying an application or resource. Type enforcement is the
enforcement of access control on that type. All files, processes,
network resources, etc on an SELinux system has a label, and one of the
components of that label is the "type". For example the files in your
home directory are probably labeled user_home_t. user_home_t is the type
and in this case it means that the policy should treat all those files
as your home directory files.

Running applications also have labels. For example, your web browser may
be running as firefox_t. Type enforcement simply allows you to specify
what application label can access what resource label. In the most
simple terms SELinux lets you allow an application to do something with
a resource:

allow firefox_t user_home_t : file { read write };

This simply allows your web browser, running as firefox_t to read and
write files in your home directory, labeled as user_home_t.
[edit] Do I have to write policies to use SELinux?

In general, no. Distributions such as Fedora and Red Hat Enterprise
Linux come with many policies which allow applications to do everything
necessary in their default configurations. If you are a power user who
customizes how applications and services work on your system then you
may need to update the policy to reflect that. More times than not a
simple file relabel can enable your custom configuration to work with
SELinux.
[edit] Where do I get these policies?

When SELinux comes with a distribution it will have policies included to
lock down various applications. The number of applications locked down
and how strict the policies are depends on how your distribution has
configured the policy. All policies included in distributions today,
however, are based off of the Reference Policy and therefore a user can
add additional policies from the Reference Policy or can reconfigure the
strictness of the policies. The reference policy is available at its
project page.
[edit] Who writes these policies?

The policies in the Reference Policy are written by distributions based
on user feedback of application behaviors and security professionals.
Tresys Technology actively maintains the Reference Policy upstream by
reviewing and integrating the changes sent to the project mail list.
[edit] Is SELinux a firewall?

Though often confused with one, SELinux is not a firewall. A firewall
controls the flow of traffic to and from a computer to the network.
SELinux can confine access of programs within a computer and hence can
be conceptually thought of a internal firewall between programs.
Security works best when multiple layers are used and SELinux is
complimentary to a firewall and other security features.
[edit] Is it useful for a desktop?

Absolutely. Though most distributions targeted services such as Apache
when they initially integrated SELinux there are many desktop services
confined and confining desktop applications is a great way to keep
malicious content online from compromising your important data.
[edit] Is SELinux enabled on my system?

To find out if SELinux is enabled on your system you can run sestatus.
If the SELinux status says enforcing you are being protected by SELinux.
If it says permissive SELinux is enabled but is not protecting you, and
disabled means it is completely disabled.
[edit] Why should I use SELinux?

In short because SELinux can help protect you from bugs in applications.
Most people treat applications as user surrogates (e.g., "I go to
google.com" not "I tell my browser to go to google.com and it does so on
my behalf"). However applications, especially the desktop applications
we all use, come in at millions of lines of code. Without knowing what
those millions of lines of code do there is no way to know if an
application will really do what you tell it or if it becomes malicious
because of vulnerabilities. With SELinux you can treat the applications
you run differently from yourself thereby limiting what an exploited
application can do.
[edit] How do I disable SELinux?

Though we feel that most users should leave SELinux enabled, especially
because it can help mitigate zero-day attacks, we understand that there
are some circumstances where it may need to be disabled.

If you feel like SELinux is stopping an application from working it is
best to put it in permissive mode and test the application. If the
application runs correctly in permissive mode but not enforcing you may
need to add some rules to the policy, or relabel some files. Check the
users and administrators section for details on doing this.

To put an SELinux system into permissive mode temporarily you can run
setenforce as root:

# setenforce 0

If you are having issues booting up and would like to boot your system
with SELinux in permissive mode you can edit the /etc/selinux/config
file and change the SELINUX variable to permissive (this will not set
the current running mode of SELinux).

To disable SELinux altogether you can change the SELINUX variable in
/etc/selinux/config to DISABLED and reboot.

Article Discussion Edit History

Log in / create account

Navigation

Main Page
Recent changes
Random page
Credits

Search

Toolbox

What links here
Related changes
Special pages
Printable version
Permanent link
Cite this article

Powered by MediaWiki

This page was last modified 13:56, 16 October 2009. This page has
been accessed 67,362 times. Privacy policy About SELinux Wiki
Disclaimers


  1. 2015-05-02 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] debuging methods
  2. 2015-05-02 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Excellent article on Virtual Paging and OS memory
  3. 2015-05-02 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Great Article on Software Concordance program writing
  4. 2015-05-02 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Semephores and what the heck are those things?
  5. 2015-05-03 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Go Language tutorials
  6. 2015-05-04 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] ACL and beyound security in linux
  7. 2015-05-04 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Fwd: [Perlweekly] #197 - YAPC::EU Master classes - talks - hackathons
  8. 2015-05-05 Ruben <ruben.safir-at-my.liu.edu> Re: [LIU Comp Sci] Fibonacci trees
  9. 2015-05-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Examination Question for Allogorthims
  10. 2015-05-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Fibonacci trees
  11. 2015-05-05 Ruben <ruben.safir-at-my.liu.edu> Subject: [LIU Comp Sci] Fwd: Internships with Oracle, Amtrak, The Nature Conservancy & more
  12. 2015-05-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Nice possible project for NYLXS or others
  13. 2015-05-06 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] Fibonacci trees
  14. 2015-05-06 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] Fibonacci trees
  15. 2015-05-06 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] Fibonacci trees
  16. 2015-05-06 Ruben <ruben.safir-at-my.liu.edu> Subject: [LIU Comp Sci] Fwd: Re: [opensuse] Re: no space left on the device
  17. 2015-05-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] hashing multiplication
  18. 2015-05-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Fwd: Kernel Scheduling and wait queues
  19. 2015-05-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Fwd: Re: Kernel Scheduler and wiat queues
  20. 2015-05-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Re: [NYLXS - HANGOUT] Things to study over the summer
  21. 2015-05-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Things to study over the summer
  22. 2015-05-10 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] scheduler Slides
  23. 2015-05-10 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] scheduler Slides
  24. 2015-05-11 Ruben Safir <ruben.safir-at-my.liu.edu> Re: [LIU Comp Sci] scheduler Slides
  25. 2015-05-11 Ruben Safir <ruben.safir-at-my.liu.edu> Re: [LIU Comp Sci] scheduler Slides
  26. 2015-05-11 Justin Lau <justinml-at-gmail.com> Re: [LIU Comp Sci] scheduler Slides
  27. 2015-05-11 Justin Lau <justinml-at-gmail.com> Re: [LIU Comp Sci] scheduler Slides
  28. 2015-05-11 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] scheduler Slides
  29. 2015-05-11 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] scheduler Slides
  30. 2015-05-11 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] scheduler Slides
  31. 2015-05-12 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Job sound like this evenings lectures
  32. 2015-05-12 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] jobs
  33. 2015-05-12 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] LAMP Jobs
  34. 2015-05-13 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] April Journal is Available
  35. 2015-05-13 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Fwd: Tomorrow: You and 256 others are going to "Btrfs"
  36. 2015-05-13 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Malloc systemtap probes: an example
  37. 2015-05-13 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Stackiq - Educational Program
  38. 2015-05-13 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Student Lab and Club House
  39. 2015-05-13 mrbrklyn-at-panix.com Subject: [LIU Comp Sci] [member-at-linkedin.com: RE: April Journal is Available]
  40. 2015-05-13 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] [mrbrklyn-at-panix.com: Re: [NYLXS - HANGOUT] Things to study over the
  41. 2015-05-14 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Weekly Education Meeting
  42. 2015-05-18 mrbrklyn-at-panix.com Subject: [LIU Comp Sci] [jkeen-at-verizon.net: ny.pm Technical Meeting Wed May 20 6:15 pm]
  43. 2015-05-25 Ruben Safir <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Summer NYLXS Study Schedule
  44. 2015-05-28 Tony Genao <tony.genao-at-my.liu.edu> Re: [LIU Comp Sci] Summer NYLXS Study Schedule
  45. 2015-05-28 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] Summer NYLXS Study Schedule
  46. 2015-05-28 Tony Genao <tony.genao-at-my.liu.edu> Re: [LIU Comp Sci] Summer NYLXS Study Schedule
  47. 2015-05-28 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] Summer NYLXS Study Schedule
  48. 2015-05-28 Ruben <mrbrklyn-at-panix.com> Subject: [LIU Comp Sci] Fwd: Re: Programming Position
  49. 2015-05-28 mrbrklyn-at-panix.com Subject: [LIU Comp Sci] [ruben-at-www.mrbrklyn.com: Linux 1 Book]
  50. 2015-05-31 Ruben Safir <mrbrklyn-at-panix.com> Re: [LIU Comp Sci] Summer NYLXS Study Schedule

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!