sjansen at buscaluz.org
Wed Jan 23 10:21:24 MST 2008
On Wed, 2008-01-23 at 10:12 -0700, Chris Carey wrote:
> I am very familiar with writing iptables firewalls by hand. This isn't
> really what I'm looking for though. I am looking for something
> specifically that could limit on a per-application basis, which I feel
> is a very powerful security feature.
Don't forget that netfilter can also filter based on uid. So you can
limit user apache to ports 80 & 443, for example.
> It seems SELinux may solve the second part of my question - limiting
> what the executables can do on the file system.
It doesn't just limit filesystem. It limits anything you can label.
Processes, ports, system calls, etc. Some of the cutting edge stuff is
especially interesting. SEPostgresql can actually extend policy to the
database row level.
More information about the PLUG