Questions tagged [selinux]
SELinux (Security-Enhanced Linux) is an implementation of a flexible mandatory, role-based access control architecture on Linux. It is primarily used to confine system processes.
81 questions
2
votes
0
answers
74
views
Can SELinux restrict who can call a specific TEE UUID
I'm investigating how to control access to an API a TEE application presents.
I believe I can use SELinux to control which kernel modules can access the client TEE library, but I need finer-grain ...
- 141
0
votes
0
answers
63
views
Is it possible to include a fully-working SELinux policy with B2B software?
Preamble
I'm an engineer at a small company that sells B2B software for various OSes, including RHEL. The software usually runs natively (as a statically compiled binary) and uses/accesses system ...
- 1
0
votes
2
answers
115
views
gpg security on a shared Linux machine
AFAIK, the few ways private information from gpg can get leaked to other users on a shared Linux machine is:
someone with root access can access gpg's files
someone with root access can access gpg's ...
- 49
2
votes
1
answer
380
views
Can I use SELinux to add an extra layer of protection against 0-day VM escape exploits in KVM/QEMU?
My host is Fedora, and I want to add an extra layer of protection against 0day KVM/QEMU exploits that execute code on the host. For example there have been CVEs where if we run a specially crafted ...
- 410
0
votes
1
answer
1k
views
Is AppArmor used in production environments? [closed]
I was recently having a conversation with a friend about his server system (he does a lot of self-hosting) and he mentioned he was in the middle of configuring SELinux. I was curious about the ...
- 103
1
vote
0
answers
196
views
How can I enforce a security sandbox with any process?
Deno (the node.js fork) is designed to be secure by default. Therefore, unless you specifically enable it, a program run with Deno has no file, network, or environment access. Deno has a set of ...
- 111
1
vote
1
answer
2k
views
CIS hardened linux vs SELinux(Security Enhanced)
What are the differences between the CIS hardened linux and SELinux(security linux)? Also, all the public cloud service providers support CIS hardened linux. Does it mean SELinux has lost the battle? ...
1
vote
1
answer
1k
views
Secure way to run a linux binary which needs access to ressources only available to root?
As a developer, I ask how to approach security concerns regarding permissions of a binary which needs access to resources only available to root users.
For example, let's think of a simple tool which ...
- 111
2
votes
0
answers
737
views
How to harden portable Tor Browser installation (SELinux, sandbox)?
tldr
How can I define a SELinux policy, that limits filesystem access of portable Tor Browser to its installation directory, say /home/user/.local/opt/tor-browser_en-US?
How might Tor Browser be ...
- 21
1
vote
1
answer
1k
views
Why is php-fpm trying to connect somewhere on port 443?
I have nginx and php-fm set up to front a word press site. I used certbot to setup TLS.
When I load any page, I see selinux violations and it looks like php-fpm is trying to reach out to some port ...
- 320
2
votes
1
answer
756
views
Linux security modules (LSM) and reference monitor implementation
as far as my understanding goes, an OS needs to implement some sort of reference monitor, as the entity which grants or denies permissions as an access control decision.
Furthermore, I think the Linux ...
- 171
2
votes
2
answers
2k
views
Linux whitelist-based Mandatory Access Control instead of a blacklist-based model
I'm trying to harden a Linux installation on a personal computer - I decided to try both SELinux and AppArmor as a Mandatory Access Control (MAC) to supplement the default Discretionary Access Control ...
- 131
2
votes
1
answer
196
views
Is there a good reason (and what can it be) to require DAC restriction on IPC in addition to SELinux rules?
Our company is developing an AOSP-based platform for our customer. Some of our vendor services are using HWBinder for IPC which is using SELinux to restrict service discovery and access. The problem ...
- 121
0
votes
1
answer
351
views
Restrict privileged users from accessing certain directories on Linux servers with Grsecurity?
My question is similar to these:
Protect sensitive data from sysadmin prying eyes
Restrict access to a specific directory on Linux
From those, I understand that SELinux could accomplish my goal. But ...
- 340
4
votes
0
answers
3k
views
Ways to transition SELinux domain / process context (securing SELinux boundaries)
(Apologies for multi-question. Theme is the same, but there are quite a few edge cases.)
Browsing the web, I come across resources (see below), but they don't make this quite clear what the situation ...
- 1,080