[relnotes] [Fedora Project Wiki] Update of "Docs/Beats/Security" by LubomirKundrak

Fri Mar 28 12:22:35 UTC 2008

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Fedora Project Wiki" for change notification.

The following page has been changed by LubomirKundrak:
http://fedoraproject.org/wiki/Docs/Beats/Security?action=diff&rev2=52&rev1=51

The comment on the change is:
Add FORTIFY_SOURCE and SELinux

------------------------------------------------------------------------------
  === Security Enhancements ===
  
  Fedora continues to improve its many proactive [http://fedoraproject.org/wiki/Security/Features security features].
+ 
+ ==== Support for SHA-256 and SHA-512 passwords ====
  
  The `glibc` package in Fedora 8 had [http://people.redhat.com/drepper/sha-crypt.html support] for passwords using SHA-256 and SHA-512 hashing.  Previously, only DES and MD5 were available.  These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
  
@@ -23, +25 @@

  
   * New options, `ENCRYPT_METHOD`, `SHA_CRYPT_MIN_ROUNDS`, and `SHA_CRYPT_MAX_ROUNDS`, are now supported in `/etc/login.defs`. Refer to the `login.defs(5)` man page for details. Corresponding options were added to `chpasswd(8)` and `newusers(8)`. 
  
+ ==== FORTIFY_SOURCE extended to cover more functions ====
+ 
+ [http://fedoraproject.org/wiki/Security/Features#head-2f26f1e8c2bc1b5d397cdcae042449ce07a6f51d FORTIFY_SOURCE] protection now covers {{{asprintf}}}, {{{dprintf}}}, {{{vasprintf}}}, {{{vdprintf}}}, {{{obstack_printf}}} and {{{obstack_vprintf}}}. This is particularly useful for application that use {{{glib2}}} library, as various functions from it use {{{vasprintf}}}.
+ 
+ ==== SELinux enhancements ====
+ 
+  * Browser plugins wrapped with {{{nspluginwrapper}}} (which is the default) now run confined
+  * Different roles are now available, to allow fine-graining access control
+    * {{{guest_t}}} doesn't allow running setuid binaries, making network connections or using GUI
+    * {{{xguest_t}}} disallows network access except for HTTP via web browser, no setuid binaries
+    * {{{user_t}}} is ideal for office users, prevents becoming root via setuid applications
+    * {{{staff_t}}} is same as {{{user_t}}}, except for root access via {{{sudo}}} is allowed
+    * {{{unconfined_t}}} provides full access, same as without SELinux
+ 
  === General Information ===
  
  A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.


