diff --git a/_posts/2025-12-17-why-you-should-use-SELinux-and-how.md b/_posts/2025-12-17-why-you-should-use-SELinux-and-how.md index a93f307..2c4c438 100644 --- a/_posts/2025-12-17-why-you-should-use-SELinux-and-how.md +++ b/_posts/2025-12-17-why-you-should-use-SELinux-and-how.md @@ -3,7 +3,7 @@ layout: post author: Sam Hadow --- -In this blog post I'll explain why you should use SELinux (or at least an implementation of Mandatory Access Control) and how you can use SELinux, administer it, install it on an existing system. +In this blog post I'll explain why you should use SELinux (or at least an implementation of Mandatory Access Control). Then how you can use SELinux, administer it, and install it on an existing system. # SELinux origin @@ -15,7 +15,7 @@ However most Linux kernels include SELinux support by default even if unused. To ## Motivations -Historically UNIX systems (so Linux included) use DAC (Discretionary Access Control) with ownership and permissions (user, group and others). In this model root is omnipotent and has all the rights, [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) where also introduced to allow some privileged actions to be performed without needing to be root. And ACL (Access Control Lists) extend this DAC model for more granularity. +Historically UNIX systems (so Linux included) use DAC (Discretionary Access Control) with ownership and permissions (user, group and others). In this model root is omnipotent and has all the rights, [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) were also introduced to allow some privileged actions to be performed without needing to be root. And ACL (Access Control Lists) extend this DAC model for more granularity. However this model has its limitations: users have the "discretion" (hence the name DAC) to control the permissions of all the files they own. The issue with this model is in case of a compromised user process, an attacker inherits of all the permissions this user has and has access to all their files. A typical example of why it's bad is the web browser example. A vulnerability in a web browser means an attacker could have access to SSH keys or other private keys the user owns which is not something a web browser should have access to in the first place.