Applications generally run with a static context, which inhibits all privileges that are needed for the application. Even services (daemons) generally stay within their own context during the entire life cycle of the service. But, with mod_selinux
, it is possible to transition the context of the web server handler (the process or thread responsible for handling a specific request) to another context based on the authenticated user. This allows the administrator to grant certain privileges to the application based on the user. When a lower-privileged user abuses a vulnerability in the web application, then the reduced privileges on the web application itself might prevent a successful exploit.
SELinux Cookbook
By :
SELinux Cookbook
By:
Overview of this book
Table of Contents (17 chapters)
SELinux Cookbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
Free Chapter
The SELinux Development Environment
Dealing with File Labels
Confining Web Applications
Creating a Desktop Application Policy
Creating a Server Policy
Setting Up Separate Roles
Choosing the Confinement Level
Debugging SELinux
Aligning SELinux with DAC
Handling SELinux-aware Applications
Index
Customer Reviews