As we saw in the previous chapters, Discretionary Access Control allows users to control who can access their own files and directories. But, what if your company needs to have more administrative control over who accesses what? For this, we need some sort of Mandatory Access Control or MAC.
The best way I know to explain the difference between DAC and MAC is to hearken back to my Navy days. I was riding submarines at the time, and I had to have a Top Secret clearance to do my job. With DAC, I had the physical ability to take one of my Top Secret books to the mess decks, and hand it to a cook who didn't have that level of clearance. With MAC, there were rules that prevented me from doing so. On operating systems, things work pretty much the same way.
There are several different MAC systems that are available for Linux. The two that we'll cover in this chapter are SELinux and AppArmor.
In this chapter, we'll cover the following topics:
- What SELinux is and how it can benefit a system's administrator
- How to set security contexts for files and directories
- How to use setroubleshoot to troubleshoot SELinux problems
- Looking at SELinux policies and how to create custom policies
- What AppArmor is and how it can benefit a systems administrator
- Looking at AppArmor policies
- Working with AppArmor command-line utilities
- Troubleshooting AppArmor problems