Role-based access control is a general security model that simplifies administration by assigning roles to users and then assigning permissions to those roles. Learn how RBAC in SELinux acts as a layer of abstraction between the user and the underlying TE model, and how the three pieces of an SELinux context (policy, kernel, and userspace) work together to enforce the RBAC and tie Linux users into the TE policy.
To read all comments associated with this story, please click here.
Member since:2006-08-01
> selinux is not easy compared to apparmor
But apparmor sucks.
> selinux is not easy
Pam, /etc/security, ConsoleKit, httpd.conf etc are not easy.
Security is not easy and will never be.
Very few people know how to secure a distribution.
You can't hope everything good, if you require the user be in charge of security aspect.
That's right, SeLinux sucks a little. To many people disable SeLinux. Very often because they don't know how SeLinux works and they don't want. But many many keep SeLinux in enforcing mode. SeLinux is my expert in security. I am not a security expert. Fedora provide SeLinux configured. You don't have to configure it. If you have to, perhaps you are doing something wrong.
http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-bu...
You can disable SeLinux, you can also use the root account to avoid "problems".
Member since:2005-07-06
Well, there must be a reason why the entire AppArmor team has been layed off from Novell.
http://www.news.com/8301-13580_3-9796140-39.html
How are they going to support a technology with known limitations (path based) and not upstream with the Linux kernel (unlike SELinux starting with the first 2.6 release) and no staff to develop and support it?
SELinux is much more comprehensive and getting easier to use every release in Fedora while providing more tighter policies.
Member since:
2007-03-31
wether you raise your hand or not:
selinux is not easy compared to apparmor; and even if you are root/administrator, you probably don't damage your system the way it does under windows.
I know selinx and apparmor are different altogether but you can pretty much confine your system _without_ having a policy getting in your way with apparmor.