Skip to content

Entries tagged "selinux".

RSA recommends to turn off Selinux

From Dan Walsh's blog I got the LOLWTFFAIL of the day: famous security company RSA recommends to have Selinux turned off in order to use their product.
Really? Really??! Yup, really.
Let's not forget RSA and fuck-ups can go well together. Take this for example:

Oh, and they still use "netstat" to generate entropy for their crap products... years after we've had /dev/urandom ... By now even the chickens are laughing.


10 years of SELinux

Apparently the EL and Fedora world has been using SELinux for 10 years now. It also made it in Debian.
Here's a very nice article about it:
 We are celebrating the SELinux 10th year anversary this year. Hard to believe it.
 SELinux was first introduced in Fedora Core 3 and later in Red Hat Enterprise Linux 4. 
 For those who have never used SELinux, or would like an explanation...

 SElinux is a labeling system. Every process has a label. 
Every file/directory object in the operating system has a label.
Even network ports, devices, and potentially hostnames have labels assigned to them. 
 We write rules to control the access of a process label to an a object label like a file. We call this policy. The kernel enforces the rules.
Sometimes this enforcement is called Mandatory Access Control (MAC). 

 The owner of an object does not have discretion over the security attributes of a object.
Standard Linux access control, owner/group + permission flags like rwx, is often called Discretionary Access Control (DAC).
SELinux has no concept of UID or ownership of files. Everything is controlled by the labels. Meaning an SELinux system can be setup without an all powerful root process.
Read more ...