Comparative Study of Containment Strategies in Solaris and Security Enhanced Linux

Eriksson, Magnus, Palmroos, Staffan

January 2007

<p>To minimize the damage in the event of a security breach it is desirable to limit the privileges of remotely available services to the bare minimum and to isolate the individual services from the rest of the operating system. To achieve this there is a number of different containment strategies and process privilege security models that may be used. Two of these mechanisms are Solaris Containers (a.k.a. Solaris Zones) and Type Enforcement, as implemented in the Fedora distribution of Security Enhanced Linux (SELinux). This thesis compares how these technologies can be used to isolate a single service in the operating system.</p><p>As these two technologies differ significantly we have examined how the isolation effect can be achieved in two separate experiments. In the Solaris experiments we show how the footprint of the installed zone can be reduced and how to minimize the runtime overhead associated with the zone. To demonstrate SELinux we create a deliberately flawed network daemon and show how this can be isolated by writing a SELinux policy.</p><p>We demonstrate how both technologies can be used to achieve isolation for a single service. Differences between the two technologies become apparent when trying to run multiple instances of the same service where the SELinux implementation suffers from lack of namespace isolation. When using zones the administration work is the same regardless of the services running in the zone whereas SELinux requires a separate policy for each service. If a policy is not available from the operating system vendor the administrator needs to be familiar with the SELinux policy framework and create the policy from scratch. The overhead of the technologies is small and is not a critical factor for the scalability of a system using them.</p>

Solaris Zones

Solaris Containers

SELinux

containment strategies

virtualization

Computer science

Datalogi

Comparative Study of Containment Strategies in Solaris and Security Enhanced Linux

Eriksson, Magnus, Palmroos, Staffan

January 2007

To minimize the damage in the event of a security breach it is desirable to limit the privileges of remotely available services to the bare minimum and to isolate the individual services from the rest of the operating system. To achieve this there is a number of different containment strategies and process privilege security models that may be used. Two of these mechanisms are Solaris Containers (a.k.a. Solaris Zones) and Type Enforcement, as implemented in the Fedora distribution of Security Enhanced Linux (SELinux). This thesis compares how these technologies can be used to isolate a single service in the operating system. As these two technologies differ significantly we have examined how the isolation effect can be achieved in two separate experiments. In the Solaris experiments we show how the footprint of the installed zone can be reduced and how to minimize the runtime overhead associated with the zone. To demonstrate SELinux we create a deliberately flawed network daemon and show how this can be isolated by writing a SELinux policy. We demonstrate how both technologies can be used to achieve isolation for a single service. Differences between the two technologies become apparent when trying to run multiple instances of the same service where the SELinux implementation suffers from lack of namespace isolation. When using zones the administration work is the same regardless of the services running in the zone whereas SELinux requires a separate policy for each service. If a policy is not available from the operating system vendor the administrator needs to be familiar with the SELinux policy framework and create the policy from scratch. The overhead of the technologies is small and is not a critical factor for the scalability of a system using them.

Solaris Zones

Solaris Containers

SELinux

containment strategies

virtualization

Computer Sciences

Datavetenskap (datalogi)

“Women, you know that women they are very easy to deceive … ” : understandings of women's role in witchcraft-related violence among community groups and social workers in southern Nigeria and handling of such violence.

Mark, Faith

January 2017

This study aims to explore how social workers and community groups in southern Nigeria understand and interpret women's roles in witchcraft related violence and the implications those views have on the handling of such violence. This topic is of relevance for social work since knowledge about this problem can increase the awareness of violence and its implications when meeting clients that are exposed to it.     The study was conducted with an ethnographical approach using a combination of participant observations, semi structured and un-structured forms of interviews’ and seven focus group discussions. Four of the focus groups consisted of social workers who work with empowerment and advocacy for women and girls in Edo-state. The other three were made up of locals in a suburb of Benin City. In this study, I used Clifford Geertz (1973) interpretive anthropology as a comprehensive theory in analysing the results and the theoretical concepts from Mann Huyng Hurs (2006) theory on stages of Empowerment; an existing social disturbance, Conscientizing, Mobilizing, Maximizing and creating a new order. The results of this study show that understandings and interpretations of women’s role in witchcraft-related violence by the participating social workers and community members influences their views on what is to be considered violence and who are to be considered victims. Their views also influence their containment strategies and approaches on how to handle this violence.

Social workers

Community groups

Women

Witchcraft

Violence

Understanding

Containment strategies

Social Work

Socialt arbete