Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is how linux systems are used, when an higher level of security is needed.

The security levels look like this(lowest to highest):

Standard installation > AppArmor > Selinux > selinux with default-deny(everything not explicitly allowed is denied)



There's also fapolicyd as well, but the problem is these rule sets are often updated automatically by the package installation manager such as RPM. So while this can stop rogue binaries from running in unapproved locations anyone who has access to the box to install a rogue binary and have it run at elevated permissions would be able to install a package with the package manager. Most of the default rule sets trust things that are installed with the package manager in order to make the operating system usable.


Windows has an built in method, but make backups, since you can deny yourself access to critical things.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: