July 2013 2.7 Software 175
2.7.12 SELinux
SELinux is an expansion for Linux-based operating systems. SELinux is an
additional safety software in the sense of Mandatory Access Control (MAC)
and protects the system against the execution of unauthorized processes or
functions, i.e. viruses and other malicious software. MAC means that every
action must be explicitly permitted, otherwise it will not be executed. The
software is intended as protection in addition to the normal access restriction
in Linux. Certain processes and actions can only be executed if the standard
functions and access control of SELinux permit it. SELinux is only available
with NC software version 606 42x.
The SELinux installation of the TNC is prepared to permit running of only those
programs installed with the HEIDENHAIN NC software. Other programs
cannot be run with the standard installation.
The directory itself and the data in the PLC:\etc\selinux directory should not
be deleted. These files are directly related to the function of the SELinux
safety software.
The access control of SELinux under HEROS 5 is regulated as follows:
Only files that are installed with the HEIDENHAIN NC software can be
executed.
Files in connection with the safety of the software (SELinux system files,
HEROS 5 boot files etc.) may only be changed by programs that are selected
explicitly.
New files generated by other programs must never be executed.
There are only two processes that are permitted to execute new files:
• Starting of a software update
A software update from HEIDENHAIN can replace or change system
files. Software updates may only be downloaded from HESIS-Web
Including FileBase. Install a software update only if you can trust the
source of the files (e.g. USB stick).
You can prohibit software updates via the configuration of SELinux.
• Starting of the SELinux configuration
The configuration of SELinux should be protected by a password.
HEIDENHAIN generally recommends activating SELinux because it provides
additional protection against attacks from outside. When commissioning the
machine you should first install all of the required components (PLC program,
OEM help files, Python scripts etc.) before you activate SELinux. When the
control boots, it will only display a short note then.
In rare cases it may be necessary to check the application of SELinux:
Python modules or libraries that are not included in the HEIDENHAIN
standard installation or were modified by the user. In such cases the user's
changes must be checked and corrected, if necessary.
OEM specific applications with executable files. In such cases the
application of SELinux must be tested more thoroughly and possibly be
adapted.
To Next Page
Loading...
