Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Security-Enhanced Linux
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Overview== The NSA Security-enhanced Linux Team describes NSA SELinux as<ref>{{cite web |archive-url=https://web.archive.org/web/20201022103915/https://www.nsa.gov/what-we-do/research/selinux/|archive-date=2020-10-22|url=https://www.nsa.gov/what-we-do/research/selinux/ |title=Security-Enhanced Linux - NSA/CSS |publisher=National Security Agency |date=2009-01-15 |access-date=2021-04-21}}</ref> <blockquote>a set of [[patch (computing)|patches]] to the [[Linux kernel]] and utilities to provide a strong, flexible, mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering, and bypassing of application security mechanisms, to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.</blockquote> A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources. Limiting privilege to the minimum required to work reduces or eliminates the ability of these programs and [[daemon (computing)|daemons]] to cause harm if faulty or compromised (for example via [[buffer overflow]]s or misconfigurations). This confinement mechanism operates independently of the traditional Linux ([[discretionary access control|discretionary]]) access control mechanisms. It has no concept of a "root" [[superuser]], and does not share the well-known shortcomings of the traditional Linux security mechanisms, such as a dependence on [[setuid]]/[[setgid]] binaries. The security of an "unmodified" Linux system (a system without SELinux) depends on the correctness of the kernel, of all the privileged applications, and of each of their configurations. A fault in any one of these areas may allow the compromise of the entire system. In contrast, the security of a "modified" system (based on an SELinux kernel) depends primarily on the correctness of the kernel and its security-policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not necessarily pose a threat to the security of other user programs and system daemons or to the security of the system as a whole. From a purist perspective, SELinux provides a hybrid of concepts and capabilities drawn from mandatory access controls, [[mandatory integrity control]]s, [[role-based access control]] (RBAC), and [[type enforcement architecture]]. Third-party tools enable one to build a variety of security policies.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)