"SELinux employs an access control system that uses
data types and a variety of rules-based enforcement protocols as a
means for setting up both confidentiality and integrity rules on
user systems. The result is a highly flexible, yet highly secure
system with enforcement rules embedded into a discrete "security
server." The server contains the policies for each type of data and
on each each type of data acts on another piece of data. SELinux
revalidates the security permission schema for each file type each
time it is used.
The result is that a virus cannot succeed in a SELinux system.
In the unlikely event that a virus could even be introduced into an
SELinux-based system, and then executed, the virus should not be
able reproduce onto an executable file. In theory, this shouldn't
happen because Unix programs shouldn't have more than read or write
permissions anyway, but in this case, SELinux would also prevent
propagation of the virus because the reach of each program
executable is restricted to its own "type." Therefore, any of the
executables that would normally be targets for the virus are
effectively walled off. Even attacking the root won't have an
effect on the policies structure. The system may not be foolproof,
but as a secure, intelligently configured alternative it beats
traditional Unix configurations, and it beats Windows hands
Perhaps your company doesn't think replacing Windows with Linux
is worth the hassle. But if their systems crashed because of Code
Red or Systran or Goner -- or perhaps all three, have them take a
look at SELinux, and -- have a conversation."
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.