| |||||||||||||
SELinuxSELinuxPosted Oct 9, 2009 9:39 UTC (Fri) by rahulsundaram (subscriber, #21946)In reply to: SELinux by michaeljt Parent article: LPC: Three sessions from the security track
Enforcement of restrictions is based on the policy and labels (MAC) rather than users (DAC). So even programs/process run by the same user can have different rights (access to files, ports etc). This allows for more fine grained access control and this is a key differentiator as it allows a central policy to determine access. Other than that, your understanding seems correct.
(Log in to post comments)
SELinux Posted Oct 9, 2009 9:49 UTC (Fri) by michaeljt (subscriber, #39183) [Link]
I take it that restrictions is a more accurate term here that the "rights" I used above? That is, we are talking about "allowed by default"? And does user ID play no role whatsover? I thought that "role" was important, and that there was a mapping of which UIDs could assume which roles. I was thinking of the "policy and labels" applied to executables when I talked about "binaries with the [SELinux] equivalent of capabilities", did I miss something important?
Thanks again :)
SELinux Posted Oct 10, 2009 0:22 UTC (Sat) by janfrode (subscriber, #244) [Link]
No, it's "default deny", so the selinux policy adds permissions to do something.
User ID doesn't matter, except that you'll first need to pass the normal owner/group/permissions before selinux is involved (DAC before MAC).
"Roles" I'm not much familiar with..
|
|||||||||||||