selinux is still in development (actually, the tools and the selinux policy is most in development).

_that_ having been said, selinux has the ability to place some restrictions on network access on a per-user+per-program basis.

it is therefore my belief that a heavily modified version of "fwbuilder" could output selinux policies on a per-desktop and per-server basis that could lock down linux desktop and linux server machines as envisaged - without the need for an expensive Cisco ACL router.

... of course, if an individual machine is root-kitted or LKM-compromised (something that selinux cannot help you with because selinux is implemented in the kernel and a kernel exploit means Game Over) then its rules get ignored...



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/334/32045#32045