On Linux there is a mandatory access control (MAC) architecture available known as SELinux
, which allows for a very detailed restriction management of arbitrary programs.
Another mechanism available is AppArmor
, which is not quite as strict as SELinux
but easier to manage.
Because these mechanisms allow, respectively require, very detailed settings about what actions the programs are allowed to do, it is not possible to ship pre-configured rules for these mechanisms to be readily used. This is because many customer and installation dependent settings (used components, ports, and so on) have to be taken into account during policy creation for SELinux
or AppArmor
. If you decide to implement one of these additional mechanisms, you must plan additional time for the policy creation.