[Info-vax] OS implementation languages
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Tue Sep 5 13:56:40 EDT 2023
On 2023-09-05, Bob Eager <news0009 at eager.cx> wrote:
> On Tue, 05 Sep 2023 12:12:03 +0000, Simon Clubley wrote:
>> I just had a quick look around and couldn't see what the FreeBSD version
>> of SELinux is. I wonder how the FreeBSD people handle the MAC problem
>> and how functional their solution is compared to SELinux ?
>
> Not quite sure what you mean by the 'MAC problem'; I may not be aware of
> details here. But FreeBSD has MAC:
>
> https://docs.freebsd.org/en/books/handbook/mac/
>
In this context, it simply means the ability to support MAC security,
_including_ the ability to help keep a successful compromise contained,
which is what SELinux offers.
Notice the use of the word "help" above. As with all things, each layer
of security is just one more layer to be overcome and nothing more.
With SELinux, for example, httpd can be part of a policy that says it
is only allowed to access certain TCP ports and all other access attempts
will be refused by SELinux.
That way, if httpd gets compromised, then the compromised code is
also denied access.
Looking through the documentation you referenced, it looks like the
closest is mac_portacl, but that is based on UIDs/GIDs instead of
context labels.
This is an example from the RHEL documentation of how you allow httpd
access to a non-standard port when using SELinux:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-managing_confined_services-the_apache_http_server#sect-Managing_Confined_Services-The_Apache_HTTP_Server-The_Apache_HTTP_Server_and_SELinux
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list