* Security Enhanced Linux ( SELinux ) project page

However, in cooperation with the Security Enhanced Linux project ( SELinux ), the standard policy for the Fedora Core distribution does prohibit this behavior for most executables, with only a few exceptions for compatibility reasons.

The SELinux context for a remote file system can be specified explicitly at mount time.

Security-Enhanced Linux ( SELinux ) is a Linux feature that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules ( LSM ) in the Linux kernel.

The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency.

The United States National Security Agency ( NSA ), the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.

* SELinux and grsecurity: A Case Study Comparing Linux Security Kernel Enhancements

( SELinux has been integrated into version 2. 6 series of the Linux kernel, and separate patches are now unnecessary ; the above is a historical quotation.

This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain.

The command runcon allows for the launching of a process into an explicitly specified context ( user, role and domain ), but SELinux may deny the transition if it is not approved by the policy configuration.

SELinux is available with commercial support as part of Red Hat Enterprise Linux ( RHEL ) version 4 and all future releases.

This means that, for example, a file that is inaccessible may become accessible under AppArmor when a hard link is created to it, while SELinux would deny access through the newly created hard link.

On the other hand, data that is inaccessible in SELinux may become accessible when applications update the file by replacing it with a new version — a frequently used technique — while AppArmor would continue to deny access to the data.

SELinux is the set of kernel extensions to control access more precisely, strictly defining both if and how files, folders, network ports and other resources can be accessed by the confined process.

It is one of those mainstream Linux distribution, with a concentrated effort to improve system security, as a consequence it boasts a fully integrated SELinux MAC and fine-grained executable memory permission system ( Exec Shield ) and all binaries compiled with GCC's standard stack-smashing protection, as well as focusing on getting security updates into the system in a timely manner.

RSBAC is very close to SELinux functionality wise as they share a lot more in their design than other access controls such as AppArmor, etc.

Due to this, RSBAC is technically a replacement for LSM itself, and implement modules that are similar to SELinux, but with more and additional functionality.

While both SELinux and RSBAC enabled system have similar performance impact, LSM alone performance impact is negligible compared to the RSBAC framework alone.

SELinux can enforce the security policy over all processes and objects in the system, and is an optional feature in all 2. 6 kernel source packages.

FLASK is a core framework in security-focused operating systems such as NSA's Security-Enhanced Linux ( SELinux ), OpenSolaris FMAC and TrustedBSD.

More recently, with the advent of implementations such as SELinux ( incorporated into Linux kernels from 2. 6 ) and Mandatory Integrity Control ( incorporated into Windows Vista and newer ), MAC has started to become more mainstream and is evolving out of the MLS niche.

Compared to SELinux and AppArmor, grsecurity is not implemented by default in any Linux distribution except for the Tor-ramdisk micro Linux distribution.

The database engine is daemonless and processes accessing the database operate with normal user and group ids-a process has access to a database file if and only if the ownership and permissions of that database file ( plus any layered access control such as SELinux permits access ).

However, the chroot and network restrictions of grsecurity and the memory protection of PaX can be used with the SELinux MAC model for example.

SELinux represents one of several possible approaches to the problem of restricting the actions that installed software can take.

Smack has been criticized for being written as a new LSM module instead of an SELinux security policy which can provide equivalent functionality.

Such SELinux policies have been proposed, but none had been demonstrated.

Smack's author replied that it would not be practical due to SELinux's complicated configuration syntax and the philosophical difference between Smack and SELinux designs.

Few systems implement MAC ; XTS-400 and SELinux are examples of systems that do.

A Linux kernel integrating SELinux enforces mandatory access-control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.

The security of an " unmodified " Linux system ( a system without SELinux ) depends on the correctness of the kernel, of all the privileged applications, and of each of their configurations.

In contrast, the security of a " modified " system ( based on an SELinux ) kernel depends primarily on the correctness of the kernel and its security-policy configuration.

From a purist perspective, SELinux provides a hybrid of concepts and capabilities drawn from mandatory access controls, mandatory integrity controls, role-based access control ( RBAC ), and type enforcement architecture.

SELinux users and roles are not related to the actual system users and roles.

Files, network ports, and other hardware also have an SELinux context, consisting of a name, role ( seldom used ), and type.

SELinux adds the-Z switch to the shell commands ls, ps, and some others, allowing the security context of the files or process to be seen.

These three files must be compiled together with the SELinux tools to produce a single policy file.

The policy files are either hand written or can be generated from the more user friendly SELinux management tool.

SELinux can potentially control which activities are allowed for each user, process and daemon, with very precise specifications.

Ordinary user processes often run in the unconfined domain, not restricted by SELinux but still restricted by the classic Linux access rights.

b. ) to query the SELinux status: