From Fedora Project Wiki
(small fixes and ready for PR) |
|||
| Line 5: | Line 5: | ||
=== Security Enhancements === | === Security Enhancements === | ||
Fedora continues to improve its many proactive | Fedora continues to improve its many proactive security features. | ||
http://fedoraproject.org/wiki/Security/Features | |||
=== SELinux === | |||
The SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references. Some useful links include the following: | |||
* New SELinux project pages: http://fedoraproject.org/wiki/SELinux | |||
* Troubleshooting tips: http://fedoraproject.org/wiki/SELinux/Troubleshooting | |||
* Frequently Asked Questions: http://docs.fedoraproject.org/selinux-faq/ | |||
* Listing of SELinux commands: http://fedoraproject.org/wiki/SELinux/Commands | |||
* Details of confined domains: http://fedoraproject.org/wiki/SELinux/Domains | |||
=== SELinux Enhancements === | === SELinux Enhancements === | ||
Different roles are now available, to allow finer-grained access control: | Different roles are now available, to allow finer-grained access control: | ||
* <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI. | |||
* <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no setuid binaries. | * <code>guest_t</code> does not allow running <code>setuid</code> binaries, making network connections, or using a GUI. | ||
* <code>user_t</code> is ideal for office users: prevents becoming root via setuid applications. | * <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no <code>setuid</code> binaries. | ||
* <code>staff_t</code> is same as <code>user_t</code>, except that root access via <code>sudo</code> is allowed. | * <code>user_t</code> is ideal for office users: prevents becoming root via <code>setuid</code> applications. | ||
* <code>staff_t</code> is same as <code>user_t</code>, except that root-level access via <code>sudo</code> is allowed. | |||
* <code>unconfined_t</code> provides full access, the same as when not using SELinux. | * <code>unconfined_t</code> provides full access, the same as when not using SELinux. | ||
Browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, are confined by SELinux policy. | |||
=== Security Audit Package === | === Security Audit Package === | ||
Sectool provides users with a tool that can check their systems for security issues. There are libraries included that allow for the customization of system tests. More information can be found at the | |||
'''Sectool''' provides users with a tool that can check their systems for security issues. There are libraries included that allow for the customization of system tests. More information can be found at the project home: | |||
https://fedorahosted.org/sectool | |||
=== General Information === | === General Information === | ||
| Line 24: | Line 41: | ||
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security. | A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security. | ||
{{/ | {{:Docs/Beats/FreeIPA}} | ||
Revision as of 22:04, 12 October 2008
Security
This section highlights various security items from Fedora.
Security Enhancements
Fedora continues to improve its many proactive security features.
http://fedoraproject.org/wiki/Security/Features
SELinux
The SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references. Some useful links include the following:
- New SELinux project pages: http://fedoraproject.org/wiki/SELinux
- Troubleshooting tips: http://fedoraproject.org/wiki/SELinux/Troubleshooting
- Frequently Asked Questions: http://docs.fedoraproject.org/selinux-faq/
- Listing of SELinux commands: http://fedoraproject.org/wiki/SELinux/Commands
- Details of confined domains: http://fedoraproject.org/wiki/SELinux/Domains
SELinux Enhancements
Different roles are now available, to allow finer-grained access control:
guest_tdoes not allow runningsetuidbinaries, making network connections, or using a GUI.xguest_tdisallows network access except for HTTP via a Web browser, and nosetuidbinaries.user_tis ideal for office users: prevents becoming root viasetuidapplications.staff_tis same asuser_t, except that root-level access viasudois allowed.unconfined_tprovides full access, the same as when not using SELinux.
Browser plug-ins wrapped with nspluginwrapper, which is the default, are confined by SELinux policy.
Security Audit Package
Sectool provides users with a tool that can check their systems for security issues. There are libraries included that allow for the customization of system tests. More information can be found at the project home:
https://fedorahosted.org/sectool
General Information
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.