Hi my name is Don Bishop and this is my “Deal” Today... Basically, anything that interest me. Music, Computers, Software, Apps, Linux OS's - Distros, Space, Science, Auto's, Trucks, 4x4's, Motorcycles and other slightly interesting info that I find on the Web. There may, or may not be, any correlation between my Posts. Just whatever interests me at the time. I hope someone out there finds some of this interesting too!:)
Search My Blog
Wednesday, May 12, 2010
Role-based access control in SELinux
Role-based access control in SELinux
Learn your way around this admin-friendly security administration layer
Serge Hallyn is a part of IBM's Linux Technology Center, focusing on Linux kernel and security. He obtained his Ph.D. in computer science from the College of William and Mary. He has written and contributed to several security modules. He currently focuses on adding support for virtual server functionality, application checkpoint/restart, and POSIX file capabilities.
Summary: Role-based access control (RBAC) is a general security model that simplifies administration by assigning roles to users and then assigning permissions to those roles. RBAC in Security-Enhanced Linux (SELinux) acts as a layer of abstraction between the user and the underlying type-enforcement (TE) model, which provides highly granular access control but is not geared for ease of management. Learn how the three pieces of an SELinux context (policy, kernel, and userspace) work together to enforce the RBAC and tie Linux® users into the TE policy.
Role-based access control (RBAC) is a general security model that simplifies administration by assigning roles to users and then assigning permissions to those roles. RBAC in Security-Enhanced Linux (SELinux) acts as a layer of abstraction between the user and the underlying type-enforcement (TE) model, which provides highly granular access control but is not geared for ease of management. Learn how the three pieces of an SELinux context (policy, kernel, and userspace) work together to enforce the RBAC and tie Linux users into the TE policy.
SELinux, the U.S. National Security Agency's implementation of mandatory access control, is the most prominent new security subsystem in Linux. SELinux comes installed by default in Fedora and Red Hat Enterprise Linux and is available in easy-to-install packages in other distributions. This article shows you how to convert a non-SELinux system by hand in order to expose details about how SELinux is integrated into a system.
If you're concerned about protecting world-writeable shared directories such as /tmp or /var/tmp from abuse, a Linux Pluggable Authentication Module (PAM) can help you. The pam_namespace module creates a separate namespace for users on your system when they login. This separation is enforced by the Linux operating system so that users are protected from several types of security attacks. This article for Linux system administrators lays out the steps to enable namespaces with PAM.
February 13. 2010 - This is not a new edition - Minor fixes made This IBM® Redbooks® publication describes the concepts, architecture, and implementation of the IBM XIV Storage System (2810-A14 and 2812-A14), which is designed to be a scalable enterprise storage system based upon a grid array of hardware components. It can attach to both Fibre Channel Protocol (FCP) and iSCSI capable hosts. In the first few chapters of this book, we provide details about many of the unique and powerful concepts that form the basis of the XIV Storage System logical and physical architecture. We explain how the system was designed to eliminate direct dependencies between the hardware elements and the software that governs the system. In subsequent chapters, we explain the planning and preparation tasks that are required to deploy the system in your environment. This explanation is followed by a step-by-step procedure of how to configure and administer the system. We provide illustrations of how to perform those tasks by using the intuitive, yet powerful XIV Storage Manager GUI or the Extended Command Line Interface (XCLI). The book contains comprehensive information on how to integrate the XIV Storage System for authentication in an LDAP environment and outlines the requirements and summarizes the procedures for attaching the system to various host platforms. We also discuss the performance characteristics of the XIV system and present options available for alerting and monitoring, including an enhanced secure remote suppor
In today's global world clients needs to show compliance to different laws like Sarbanes Oxley, HIPPA, the European Union's 8th directive, privacy laws, and so on, in an enterprise (horizontal) environment. The environments become more and more complex with the rapid growth of e-business, and they often span several geographies. Most IT organizations are still very much vertical, often with different organizations within each country, with little cooperation between them. Lack of skills on cross-platform skills are also a major issue. Integration and automation at the infrastructure layer is key to enabling e-business. With the growing number of security databases, proving compliance across the enterprise is very complex. This is also true for auditors, as they need a very deep knowledge of IT and a variety of solutions and IT Infrastructures to be able to do a reliable audit. This IBM Redbooks publication documents the results of our efforts and tests to show how you can perform audit trail and report in an enterprise. Our configuration, even though a not very complex one, shows results of using internal (intranet) and external (internet) configurations. We have been testing with standard users and privilege users, using tools that are available in today's market.
The goal of this IBM Redbooks publication is to provide a technical reference for IT systems administrators in organizations that are considering a migration from Solaris to Linux-based systems. We present a systems administrator view of the technical differences and methods necessary to complete a successful migration to Linux-based systems, including coverage of how those differences translate to two major Linux distributions: Red Hat Enterprise Linux and SUSE Linux Enterprise Server. The book is designed primarily to be a reference work for the experienced Solaris 8 or 9 system administrator who will need to begin working with Linux. It should serve as a guide for system administrators that need a concise technical reference for facilitating the transition to Linux. The book also provides details about how to leverage the additional industry-leading technologies in IBM eServer xSeries servers, IBM POWER technology-based systems (iSeries/pSeries), and IBM eServer zSeries systems that make them very powerful and flexible platforms for hosting Linux-based solutions.
IBM Systems Director is a platform management foundation that streamlines the way that physical and virtual systems are managed across a multi-system environment. Leveraging industry standards, IBM Systems Director supports multiple operating systems and virtualization technologies across IBM® and non-IBM platforms. IBM Systems Director provides multi-system support for IBM Power Systems™, Systems x, BladeCenter®, System z®, and Storage Systems, enabling integration of IBM systems with the total infrastructure. IBM Systems Director also manages non-IBM x86-based systems through a dedicated agent. This IBM Redbooks® publication describes how to implement systems management with IBM Systems Director 6.1, discussing IBM Systems Director architecture, its adherence to industry standards, and the planning required for a successful implementation. This book helps you tailor and configure IBM Systems Director while showing how to maximize your investment in IBM technology. This book is a companion to the IBM Systems Director online publications and the product DVDs.
This IBM Redbooks publication gives a broad understanding of the synergy between service-oriented architecture (SOA)-based applications and Power Systems servers. The popularity and reach of SOA-based applications has grown exponentially in recent years. Enterprises are relying more on SOA-based applications for their operation. As a mission critical system, it is critical that the application be supported by an adequately planned infrastructure. IBM Power Systems have been leading players in the server industry for decades. Power Systems provide great performance while delivering reliability and flexibility to the infrastructure. Given the advent of SOA-based applications, this book aims to demonstrate what benefits a SOA-based application can get from a Power Systems infrastructure and how Power Systems support a SOA-based application. The book is intended as a guide for a Power Systems specialist to understand the SOA environment and for a SOA specialist to understand the facilities available for Power Systems supporting SOA-based applications.
The security policy implemented in Security-Enhanced Linux (SELinux) is type enforcement (TE) under a layer of role-based access control (RBAC). (SELinux also orthogonally implements multi-level security (MLS), which is outside the scope of this article.) TE is the most visible, and therefore the most well known, server because it enforces fine-grained permissions: when something breaks because of unexpected access denials, TE is most likely responsible. In TE, a process's security domain (its domain of influence over the system) is determined by the task's history and the currently executing program.
The concept of RBAC isn't discussed as often as TE and can be confusing because of the way it is integrated with TE. You generally think of RBAC as specifying the access that users in certain roles may receive. SELinux specifies the role-based access in terms of TE, however, so the goal of RBAC in SELinux is to allow management of privileges based on roles that the authorized user may assume, then restrict the domains of influence that a role may enter by specifying the TE domains with which a role may be combined into a valid context.
To see how this works, take a look at a very simple cash register accounting system using SELinux to provide the security guarantees. You'll see the same solution in two very different environments (see Downloads to view the code for both):
The from-scratch SELinux system built in the developerWorks article "SELinux from scratch." This system demonstrates how several of the pieces in the kernel and in userspace are bound together.
A Fedora Core 8 system. The Fedora Core 8 system (new at the time of this writing) shows how SELinux and RBAC are tightly integrated.
No comments:
Post a Comment