Be it for personal use or for larger enterprises, system administrators have often an ungrateful job of protecting the system from malicious attacks and undefined application behavior. Providing security to systems is a major part of their job description, and to accomplish this there are a large set of security technologies are at the administrator's disposal, such as firewalls, file integrity validation tools, configuration enforcement technologies, and many more. Major parts of system security is the authentication of users, authorization of these users, and auditing of all changes and operations made on the system. Users, however, are becoming more experienced with working around regular access controls that are designed to keep the system safe, and application vulnerabilities are often exposing much more of the system than what the application should have access to.
Fine-grained access controls and enforcement by the system are needed so that users do not need to look for workarounds, and application vulnerabilities remain within the scope of the application. Linux has replied to this demand with a flexible security architecture in which mandatory access control systems can be defined. One of these is SELinux, the security-enhanced Linux subsystem.
More and more distributions are bundling SELinux support with their offerings, making SELinux available to the mass population of Linux administrators. Yet SELinux is often found to be a daunting technology to work with. Be it due to misunderstandings or lack of information, too many times SELinux is being disabled in favor of rapid fixing of permission issues. This, however, is not fixing an issue but it is ignoring an issue and removing the safe barriers that were put in place to protect the system from them.
In this book, we will describe the SELinux concepts and show how to leverage SELinux to improve the secure state of a Linux system. Together with examples and command references, this book will offer a complete view on SELinux and how it integrates with various other components on a Linux system.
Chapter 1, Fundamental SELinux Concepts, describes SELinux covering the basic concepts of this mandatory access control system needed to understand how and why SELinux-enabled systems behave as they do.
Chapter 2, Understanding SELinux Decisions and Logging, focuses on the enforcement of rules within an SELinux system and how are they related to a Linux system. It explains how and what SELinux logs on the system and how SELinux can be enabled or disabled.
Chapter 3, Managing User Logins, teaches how to manage users and logins on a SELinux system and how to assign roles based on the user's needs. It describes the integration of SELinux with other technologies such as PAM or sudo, and gives us a first taste of what unconfined domains mean to an SELinux system.
Chapter 4, Process Domains and File-level Access Controls, describes the SELinux access control rules based on file accesses. We see how SELinux uses file contexts and process contexts and how we can interrogate the SELinux policy.
Chapter 5, Controlling Network Communications, introduces us to access controls on the network level. We see how the standard SELinux socket-based access controls work, and how we can leverage the Linux netfilter system to label network packets. The chapter also gives a brief introduction to the labeled IPSec and NetLabel/CIPSO support, two technologies that can transport SELinux labels across systems.
Chapter 6, Working with SELinux Policies, discusses how to tune SELinux policies, either through SELinux Booleans or by adding additional rules on top of the existing policy. This chapter covers how to use distribution provided tools, as well as manually maintaining additional SELinux policy modules and finish off with a set of use case-driven examples for enhancing SELinux policies.
This book targets Linux system administrators who have a good understanding of how does Linux work and want to understand and work with the SELinux technology. It might also be interesting for IT architects to understand how SELinux can be positioned to enhance the security of Linux systems within their organization.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "The context can be seen using the regular file listing tools such as ls -Z or stat."
A block of code is set as follows:
/etc/resolv.conf /etc/mtab /var/run/utmp ~/public_html ~/.mozilla/plugins/libflashplayer.so
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
<VirtualHost *:80> DocumentRoot /var/www/sales ServerName sales.genfic.com selinuxDomainMap /etc/apache/selinux/mod_selinux.map </VirtualHost>
Any command-line input or output is written as follows:
$ chcat -- +Customer2 index.html
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "This usually is "denied", although some actions are explicitly marked for auditing and would result in "granted"".
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title through the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website, or added to any list of existing errata, under the Errata section of that title.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.