Security
This section highlights various security items from Fedora.
Security Enhancements
Fedora continues to improve its many proactive security features .
Support for SHA-256 and SHA-512 passwords
The glibc
package in Fedora 8 had support for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
To switch to SHA-256 or SHA-512 on an installed system, use authconfig --passalgo=sha256 --update
or authconfig --passalgo=sha512 --update
. Alternatively, use the authconfig-gtk
GUI tool to configure the hashing method. Existing user accounts will not be affected until their passwords are changed.
SHA-512 is used by default on newly installed systems. Other algorithms can be configured only for kickstart installations, by using the --passalgo
or --enablemd5
options for the kickstart auth
command. If your installation does not use kickstart, use authconfig
as described above, and then change the root user password, and passwords for other users created after installation.
New options now appear in libuser
, pam
, and shadow-utils
to support these password hashing algorithms. Running authconfig
configures all these options automatically, so it is not necessary to modify them manually.
- New values for the
crypt_style
option, and the new optionshash_rounds_min
, andhash_rounds_max
, are now supported in the[defaults]
section of/etc/libuser.conf
. Refer to thelibuser.conf(5)
man page for details.
- New options,
sha256
,sha512
, androunds
, are now supported by thepam_unix
PAM module. Refer to thepam_unix(8)
man page for details.
- New options,
ENCRYPT_METHOD
,SHA_CRYPT_MIN_ROUNDS
, andSHA_CRYPT_MAX_ROUNDS
, are now supported in/etc/login.defs
. Refer to thelogin.defs(5)
man page for details. Corresponding options were added tochpasswd(8)
andnewusers(8)
.
FORTIFY_SOURCE extended to cover more functions
FORTIFY_SOURCE protection now covers asprintf
, dprintf
, vasprintf
, vdprintf
, obstack_printf
and obstack_vprintf
. This improvement is particularly useful for applications that use the glib2
library, as several of its functions use vasprintf
.
SELinux Enhancements
Different roles are now available, to allow finer-grained access control:
guest_t
does not allow running setuid binaries, making network connections, or using a GUI.xguest_t
disallows network access except for HTTP via a Web browser, and no setuid binaries.user_t
is ideal for office users: prevents becoming root via setuid applications.staff_t
is same asuser_t
, except that root access viasudo
is allowed.unconfined_t
provides full access, the same as when not using SELinux.
As well, browser plug-ins wrapped with nspluginwrapper
, which is the default, now run confined.
Default Firewall Behavior
In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by Anaconda.
General Information
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
Fedora SELinux Project Pages
- Understanding SELinux
- Discussion of Policies
- Troubleshooting SELinux
- Multi Category Security/MCS
- Multi Level Security/MLS
- Loadable Modules
- Policy Generation Tools
- Troubleshoot Tool
- Shipping custom policy modules
- Policy writing resources
Topics
Documentation
- FAQs
- Fedora 22 - SELinux User's and Administrator's Guide
- Fedora 13 - Security-Enhanced Linux User Guide
- Fedora 13 - SELinux FAQ
- Fedora 13 - Managing Confined Services Guide
- Fedora 12 - Security-Enhanced Linux User Guide
- Fedora 12 - SELinux FAQ
- Fedora 11 - Managing Confined Services Guide
- Red Hat Enterprise Linux 7: SELinux User's and Administrator's Guide
- Red Hat Enterprise Linux 6 - SELinux Guide
- Red Hat Enterprise Linux 4 - SELinux Guide
- Red Hat Magazine: What is Security-Enhanced Linux? (November 2004)
- Red Hat Magazine: Taking advantage of SELinux in Red Hat® Enterprise Linux (April 2005)
- What’s new in SELinux for Red Hat Enterprise Linux 5? (May 2007)
- SELinux: Past, Present And Future (Daniel Walsh, Red Hat SELinux developer)
- - Dan Walsh's Blog - continous discourse on understanding and using SELinux
- Five ways SELinux may surprise you (May 2007)
- SELinux Policy IDE (SLIDE) - by Tresys Technology
- Security-Enhanced Linux (nsa.gov)
- 2013 Red Hat Summit: SELinux for Mere Mortals (2013, video)
- Security Enhanced Linux for Mere Mortals (2014, PDF)
- Grammar for policy language
If you want to work on formal documentation, you can use the Docs/Drafts/SELinux namespace. When you are done editing the draft, it can migrate to Docs/SELinux . Doing this lends an air of formality and provides higher immutability and accountability in the wiki, as only the DocWritersGroup can edit the Docs/ namespace FreeIPA