October 2004
Intermediate to advanced
256 pages
8h 16m
English
Content preview from SELinuxBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Applications of SELinux
To understand the value of
SELinux, let’s revisit
the
Apache and
ptrace vulnerability mentioned earlier in the
sidebar “The Apache OpenSSL
Attack.” Unknown to the administrator of the server,
the version of Apache being run contains a vulnerability for which no
patch is yet available. An attacker exploits this vulnerability to
remotely compromise Apache, thereby gaining the privileges extended
to the apache user account. Because the
system’s security is based on discretionary access
control, these privileges are relatively extensive. In particular,
they’re sufficient to allow the attacker to execute
the ptrace program, which also contains a
vulnerability. Moreover, the ptrace program is a
setsuid program that always runs as the root user regardless of the
identity of the user who launches it. Thus, when the attacker
compromises ptrace, he gains access to the root
account and has unrestricted access to all system files and
resources. The attacker establishes a backdoor by which to
conveniently reenter the system at will, cleans the system logs to
cover all traces of his intrusion, and adds the system to his list of
owned hosts.
If the web server had been running on an SELinux host with properly configured policies, the scenario would have proceeded differently. As before, the attacker would have been able to compromise Apache by using his 0-day attack. But, having done so, the attacker would gain only those permissions afforded the domain under which Apache ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.