From Fedora Project Wiki

m (Security Audit Package)
(small fixes and ready for PR)
Line 5: Line 5:
 
=== Security Enhancements ===
 
=== Security Enhancements ===
  
Fedora continues to improve its many proactive [http://fedoraproject.org/wiki/Security/Features security features] .
+
Fedora continues to improve its many proactive security features.
 +
 
 +
http://fedoraproject.org/wiki/Security/Features
 +
 
 +
=== SELinux ===
 +
 
 +
The SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references.  Some useful links include the following:
 +
 
 +
* New SELinux project pages: http://fedoraproject.org/wiki/SELinux
 +
* Troubleshooting tips: http://fedoraproject.org/wiki/SELinux/Troubleshooting
 +
* Frequently Asked Questions: http://docs.fedoraproject.org/selinux-faq/
 +
* Listing of SELinux commands: http://fedoraproject.org/wiki/SELinux/Commands
 +
* Details of confined domains: http://fedoraproject.org/wiki/SELinux/Domains
  
 
=== SELinux Enhancements ===
 
=== SELinux Enhancements ===
 +
 
Different roles are now available, to allow finer-grained access control:
 
Different roles are now available, to allow finer-grained access control:
* <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI.
+
 
* <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no setuid binaries.
+
* <code>guest_t</code> does not allow running <code>setuid</code> binaries, making network connections, or using a GUI.
* <code>user_t</code> is ideal for office users: prevents becoming root via setuid applications.
+
* <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no <code>setuid</code> binaries.
* <code>staff_t</code> is same as <code>user_t</code>, except that root access via <code>sudo</code> is allowed.
+
* <code>user_t</code> is ideal for office users: prevents becoming root via <code>setuid</code> applications.
 +
* <code>staff_t</code> is same as <code>user_t</code>, except that root-level access via <code>sudo</code> is allowed.
 
* <code>unconfined_t</code> provides full access, the same as when not using SELinux.
 
* <code>unconfined_t</code> provides full access, the same as when not using SELinux.
  
As well, browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, now run confined.
+
Browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, are confined by SELinux policy.
  
 
=== Security Audit Package ===
 
=== Security Audit Package ===
Sectool provides users with a tool that can check their systems for security issues. There are libraries included that allow for the customization of system tests. More information can be found at the [https://fedorahosted.org/sectool project home].
+
 
 +
'''Sectool''' provides users with a tool that can check their systems for security issues. There are libraries included that allow for the customization of system tests. More information can be found at the project home:
 +
 
 +
https://fedorahosted.org/sectool
  
 
=== General Information ===
 
=== General Information ===
Line 24: Line 41:
 
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
 
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
  
{{/SELinux}}
+
{{:Docs/Beats/FreeIPA}}
{{/FreeIPA}}
 

Revision as of 22:04, 12 October 2008

Security

This section highlights various security items from Fedora.

Security Enhancements

Fedora continues to improve its many proactive security features.

http://fedoraproject.org/wiki/Security/Features

SELinux

The SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references. Some useful links include the following:

SELinux Enhancements

Different roles are now available, to allow finer-grained access control:

  • guest_t does not allow running setuid binaries, making network connections, or using a GUI.
  • xguest_t disallows network access except for HTTP via a Web browser, and no setuid binaries.
  • user_t is ideal for office users: prevents becoming root via setuid applications.
  • staff_t is same as user_t, except that root-level access via sudo is allowed.
  • unconfined_t provides full access, the same as when not using SELinux.

Browser plug-ins wrapped with nspluginwrapper, which is the default, are confined by SELinux policy.

Security Audit Package

Sectool provides users with a tool that can check their systems for security issues. There are libraries included that allow for the customization of system tests. More information can be found at the project home:

https://fedorahosted.org/sectool

General Information

A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.

Docs/Beats/FreeIPA