Re: SELinux MLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The only use case I can think of to justify the vast additional complexity of MLS is when you need to confine access to resources based on a very specific organisational information flow policy. The MLS policy isn't necessarily more 'secure' than MCS, it's just enforces a different information flow policy (domain separation rather than Bell-LaPadula).

If you'd like to harden the machine and restrict access to splunk resources, I would:
  • Write policy for Splunk then remove all unconfined domains (see section in: http://danwalsh.livejournal.com/42394.html)
  • Run splunk in its own category
  • Change default user/login clearances as appropriate to restrict access to splunk
  • Depending on whether or not your network is labelled or not you might consider using SECMARK or netlabel to restrict network access to splunk
Hypothetically, you could run multiple instances of splunk in different categories on the same machine for each index if required.

Cheers,
Doug

From: Robert Gabriel <ephemeric@xxxxxxxxx>
Date: Thursday, 4 July 2013 2:42 AM
To: Doug Brown <d46.brown@xxxxxxxxxxxxxxxxxx>
Cc: "selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: SELinux MLS

On 3 July 2013 13:32, Douglas Brown <d46.brown@xxxxxxxxxxxxxxxxxx> wrote:

Full splunk or just the universal forwarder? Interested to know how you go.

Full Splunk but it's going to take me forever.

 
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux