© Pavel Ignatov, 123RF.com
Practical SELinux
Protective Shield
In my company, we have somehow adopted a policy of trying new developments out first on family members before they are released to the general public. I mainly choose my wife and my son as guinea pigs; however, my wife owns a Mac, so new policies are primarily tested on my son's computer.
When my son is sitting in front of his Fedora system, he usually only has three applications running, the web browser, his favorite game, and an IRC client, which he uses to chat with friends about the game – or so he claims.
I recently set up the SELinux Targeted policy for testing on my son's Fedora system, and his account is mapped to the SELinux user_u. This gives him access to all network resources, but it rules out setuid and setgid. When I log in to the system, my account is mapped to staff_u, so I also get access to sudo and can thus manage the computer.
This setup has been running for a while now on my son's computer, and there have been no major problems. If a program does not run as it should, it typically helps to start the setroubleshoot daemon to isolate and resolve the problem.
The daemon leaves a message in the logfile, /var/log/messages, with exact instructions on how the problem can be solved. On desktop systems, an applet also provides information on whether access was blocked by SELinux.
Malware Protection
We also have a family laptop in the living room; my wife and son mainly log in to this machine and run the web browser and an IRC client. Of course, it makes sense to safeguard the accounts on this family computer, too, so I changed the two user accounts from user_u to xguest_u. Now, this SELinux user account does allow access to the network, but only via the Firefox web browser; all other network access is prevented.
This approach prevents
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Setting up SELinux policies
Writing custom SELinux policy modules is not hard with some basic knowledge of SELinux. We show you how to distribute those modules to all the machines in your own system landscape. -
Writing SELinux modules
Much has happened in the field of SELinux in the last few years, including the development of new usability features. The current release makes it easier to write SELinux policy modules yourself. - Fedora Considering a Big Change to SELinux
- SELinux Systems Vulnerable to sudo Vulnerability
-
Improving Docker security now and in the future
The focus for container solutions such as Docker is increasingly shifting to security. Some vulnerabilities have been addressed, with plans to take further steps in the future to secure container virtualization.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
