SELinux operates in two global modes: permissive and enforcing. By default, SELinux denies any activity that is not explicitly allowed. This issue of denial-by-default is resolved by both confining privileged processes and automating security policy creation, which is achieved through the combination of SELinux and Mandatory Access Control (MAC). However, if security has been compromised, so too has the system. In a Discretionary Access Control (DAC) system, root access grants the individual or program unrestricted access to all programs and files on the system. It is essential that only trusted parties have root access. Traditionally, the sudo command provides users with elevated permissions, effectively granting them root-level access. The primary difference between DAC and MAC lies in how users and applications gain access to machines. SELinux was developed as a replacement for DAC, which is commonly shipped with most Linux distributions. Instead, SELinux is a Mandatory Access Control (MAC) system created by the National Security Agency (NSA).
0 Comments
Leave a Reply. |