1 21c-AppArmorSELinux

Previous: 21b-Virtualization.html

1.1 Screencasts

Included as part of lecture: 21d-PracticalPersonal.html

1.2 Un-trusted applications?

Skype uploadded shadow files, MS got hand caught in cookie jar by apparmor, and recently does it again:

1.3 Linux Security Modules (LSM)

* Linux Security Modules (LSM) is a framework that allows the Linux kernel to support a variety of computer security models while avoiding favoritism toward any single security implementation.
* The framework is licensed under the terms of the GNU General Public License and is standard part of the Linux kernel since Linux 2.6.
* AppArmor, SELinux, Smack, TOMOYO Linux, and Yama are the currently accepted modules in the official kernel.

1.3.1 AppArmor

* AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).
* Defined by central configuration files, without modifying files or processes
* Restricts only user-specified processes (defined by path) access over entities (files, network, etc.)

  1. https://help.ubuntu.com/community/AppArmor
  2. https://debian-handbook.info/browse/stable/sect.apparmor.html
  3. https://doc.opensuse.org/documentation/leap/security/html/book.security/part.apparmor.html

1.3.2 SELinux

* SELinux also supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).
* Denies all requests by default.
* Defined by labels on files and processes as part of file-system, rather than merely a central configuration.
* Everything gets labeled, processes, users, files, ports, etc., and permissions map these groups to each other.
* Typical policy is distributed by the operating system (e.g., Fedora, CentOs), but these are designed to be permissive, and tend to be server-focused.

  1. https://opensource.com/business/13/11/selinux-policy-guide
  2. https://doc.opensuse.org/documentation/leap/security/html/book.security/part.selinux.html
  3. https://wiki.centos.org/HowTos/SELinux
  4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/
  5. http://selinuxgame.org/
  6. https://serversforhackers.com/c/battling-selinux-cast

+++++++++++++++++++++ Cahoot-21d.1

Next: 21d-PracticalPersonal.html