Index
A
- abstract Unix domain socket
- stream-connect interface, creating for / For an abstract Unix domain socket, How it works…
- Acceptable behavior / The role of the SELinux policy
- access privileges
- verifying / Looking into access privileges, How it works…
- access privileges, verifying
- direct access inspection / Direct access inspection
- policy manipulation / Policy manipulation
- indirect access / Indirect access
- Administration, logical architecture / The structural documentation
- administrative interface
- allow_execmem / How it works...
- Apache
- running, with right context / Running Apache with the right context
- starting, with limited clearance / Starting Apache with limited clearance, How it works...
- Apache eXtenSion tool
- tasks, performing / How it works...
- Apache virtual host support
- URL / See also
- Application / About SELinux
- application-specific domains
- building, templates used / Building application-specific domains using templates, How it works…
- application logical design
- researching / Researching the application's logical design
- files / Files and directories
- directories / Files and directories
- network resources / Network resources
- processes / Processes
- hardware resource / Hardware and kernel resources
- kernel resource / Hardware and kernel resources
- application network access
- governing / Governing application network access, How it works…
- application resource interfaces
- creating / Creating application resource interfaces
- application role interfaces
- Artica
- URL / See also
- auditallow statement / How it works…
- auditctl command / How it works…
- audit subsystem
- about / There's more...
B
- backup file
- backup solution
- selecting / How to do it…, How it works…
- Bell-LaPadula model
- URL / About SELinux
- binary policy module
- creating / The binary policy module
- BIND 9, chroot jail
- build-time policy decisions
C
- -C option / How it works...
- C
- SELinux userland configuration, querying in / Querying SELinux userland configuration in C, How it works…, There's more...
- capabilities
- used, with SELinux / Configuring capabilities instead of setuid binaries, How it works…
- chroot / Using substitution definitions
- about / Introduction
- assigning, to regular services / Assigning a different root location to regular services, How to do it…, How it works…, There's more...
- used, for SELinux-aware applications / Using a different root location for SELinux-aware applications, How it works…
- chroot() operations
- URL / See also
- chroot jail
- CISecurity Benchmark for Red Hat Enterprise Linux
- reference / See also
- class identifiers
- about / Class identifiers
- -- identifier / Class identifiers
- -d identifier / Class identifiers
- -l identifier / Class identifiers
- -b identifier / Class identifiers
- -c identifier / Class identifiers
- -p identifier / Class identifiers
- -s identifier / Class identifiers
- cleanup process / Reducing exploit risks
- clients
- privileges, granting to / Granting privileges to all clients, How to do it…, How it works…
- coarse-grained policy
- about / Introduction
- commands
- running, with sudo / Running commands in a specified role with sudo, How it works…
- running, with runcon command / Running commands in a specified role with runcon, How it works…
- comment system
- constructs, using / The in-line documentation
- common helper domains
- defining / Defining common helper domains, How to do it…, How it works…
- conditional policy rules
- conditional policy support
- configuration files
- URL / See also
- constraints, resource-sensitivity labels / Constraints
- constraint statements
- URL / See also
- context
- processes, running in / Running new processes in a new context, How it works…, There's more...
- context, of resource
- reading / Reading the context of a resource, There's more...
- context declaration / Context declaration
- context definitions
- setting / Setting context definitions, How it works…
- context method / How it works…
- contexts
- HTTP users, mapping to / Mapping HTTP users to contexts, How to do it…
- deciding, source address mapping used / Using source address mapping to decide on contexts, There's more...
- cron
- used, with SELinux / Using cron with SELinux, How it works…, There's more…
- custom CGI domain
- creating / Creating a custom CGI domain, How to do it…, How it works...
- custom content types
- customizable type / User content and customizable types, There's more...
D
- D-Bus message flows
- controlling / Controlling D-Bus message flows, Getting ready, How it works…, There's more...
- database administrator (DBA) / How it works…
- default contexts / Default types and default contexts
- default types / Default types and default contexts
- default_contexts file / Default types and default contexts
- denied security-bounded transitions
- denied transition validation
- about / Denied transition validation
- Desktop applications
- about / Introduction
- development environment
- direct access inspection / Direct access inspection
- directories
- about / Files and directories
- Docker
- URL / See also
- DokuWiki
- domain definitions / Domain definitions
E
- equivalence class / Using substitution definitions
- exec interface
- Expected behavior / The role of the SELinux policy
F
- FAMOUS abbreviation / The structural documentation
- Fedora
- URL / Getting ready, See also
- Feeds, logical architecture / The structural documentation
- fgetfilecon() method / How it works…
- file ACLs
- user content, sharing with / Sharing user content with file ACLs, How to do it…, How it works…, There's more...
- file contexts
- defining, through patterns / Defining file contexts through patterns, How it works…, Path expressions, Class identifiers, There's more...
- path expressions / Path expressions
- order, processing / The order of processing
- class identifiers / Class identifiers
- context declaration / Context declaration
- file labels
- managing / Introduction
- files
- about / Files and directories
- file transition
- defining / How to do it…
- file transitions
- SELinux policy, enhancing with / Enhancing an SELinux policy with file transitions, Getting ready, How it works…, Finding the right search pattern, Patterns, There's more...
- file_contexts.subs / Using substitution definitions
- findcon tool / The order of processing
- fine-grained application domain definitions
- using / Using fine-grained application domain definitions, How to do it…
- example / Using fine-grained application domain definitions
- exploit risks, reducing / Reducing exploit risks
- role management / Role management
- type inheritance / Type inheritance and transitions
- transitions / Type inheritance and transitions
- fine-grained policies
- about / Introduction
- Flask
- URL / About SELinux
- four-fold
- about / How it works…
- ftp_shell_r role / Initial role based on entry
- full policy replacement, resource-sensitivity labels / Full policy replacement
- functions.sh script / How it works…
G
- generic application domain
- creating / Creating a generic application domain, How it works…
- Gentoo Linux
- URL / Getting ready
- gen_context macro / Context declaration
- gen_tunable declarations
- about / How it works…
- getcon() method / How it works…
- getexeccon() method / There's more...
- getpeercon() method / There's more...
- getprevcon() method / There's more...
- getsebool command / How it works...
- get_default_context() method / There's more...
- get_ordered_context_list() method / There's more...
- get_ordered_context_list_with_role() method / There's more...
- git tutorial
- URL / See also
- group membership
- used, for role-based access / Using group membership for role-based access, How it works…
- grsecurity
- about / There's more...
- URL / There's more...
H
- hardware resource / Hardware and kernel resources
- httpdcontent attribute / How it works
- httpd_selinux / See also
- HTTP users
- mapping, to contexts / Mapping HTTP users to contexts, How to do it…
I
- in-line documentation / The in-line documentation
- indirect access / Indirect access
- infrastructural resources / Infrastructural resources
- initial SIDs / Type inheritance and transitions
- inter-process communication (IPC) / Type inheritance and transitions
- interface changes, SELinux policy modules / Changes in interfaces
- interface names
- about / How to do it…
- invalid context
- about / Invalid contexts
- is_selinux_enabled() function / How it works…
- is_selinux_mls_enabled() method / There's more...
J
- jail
- Jailkit project
- URL / See also
K
- kdbus / There's more...
- kernel
- configuring / There's more...
- kernel resource / Hardware and kernel resources
- kernel version changes, SELinux policy modules / Kernel version changes
L
- level method / How it works…
- libselinux.so library / How it works…
- libselinux library / How it works…
- libselinux package / Checking the SELinux state programmatically
- Linux containers
- URL / See also
- Linux Security Modules (LSM) / About SELinux
- Linux user
- mapping / SELinux users and Linux user mappings
- Linux users
- mapping, to SELinux users / Mapping Linux users to SELinux users, How it works…
- location, interface definitions
- logical architecture, service
- Feeds / The structural documentation
- Administration / The structural documentation
- Monitoring / The structural documentation
- Operations / The structural documentation
- Users and rights / The structural documentation
- Security-related features / The structural documentation
- logical resources / Logical resources
M
- mcstrans file / The mcstrans and setrans.conf files
- MLS-disabled system / MLS or not
- MLS-enabled system / MLS or not
- MLS-enabled systems
- operations / Setting resource-sensitivity labels
- MLS statements
- URL / See also
- mod_selinux
- setting / Setting up mod_selinux, How to do it…, How it works...
- URL / How to do it…, See also
- virtual hosts, separating with / Separating virtual hosts with mod_selinux, How it works...
- mod_selinux.c file
- about / How it works...
- mod_selinux module
- mod_setenvif support
- URL / See also
- Monitoring, logical architecture / The structural documentation
N
- naming convention, reference policy
- network / Reducing exploit risks
- network access / The network access
- network resources / Network resources
- neverallow statement
- about / Ensuring an SELinux rule is never allowed
- including, in SELinux policy / How to do it…, How it works…
- newrole command / How it works…
- Normalized behavior / The role of the SELinux policy
O
- one domain per application
- about / Introduction
- online research, service / Online research
- open source virtual appliance providers
- list / See also
- Operations, logical architecture / The structural documentation
- optional_policy statement
- about / How it works…
- order
- processing / The order of processing
- own interface
- creating / Creating our own interface, How to do it…, How it works…
- location, interface definitions / The location of the interface definitions
- in-line documentation / The in-line documentation
P
- ${POLICY_LOCATION} variable / How it works…
- .pp files / Changes in interfaces
- packet labeling
- about / How it works...
- path expressions / Path expressions
- patterns
- file contexts, defining through / Defining file contexts through patterns, How it works…, Path expressions, The order of processing, Context declaration
- using / Patterns, There's more...
- per-user web directories
- URL / See also
- Perl-Compatible Regular Expressions (PCRE) / Path expressions
- permission issues
- clarifying, strace used / How to do it…, How it works…
- permissions
- ignoring / Ignoring permissions we don't need, How it works…
- policies
- differentiating, based on use cases / Differentiating policies based on use cases, How it works…
- policy
- loading, into policy store / Loading a policy into the policy store, There's more...
- testing / Testing and enhancing the policy, How it works…
- enhancing / Testing and enhancing the policy, How it works…
- role, defining / Defining a role in the policy
- policy manipulation / Policy manipulation
- policy source file
- creating / The policy source file
- polyinstantiated directories
- positive policy decisions
- POSIX Capabilities & File POSIX Capabilities
- URL / See also
- privileges
- documenting / Documenting common privileges, How to do it…, How it works…
- granting, to all clients / Granting privileges to all clients, How to do it…, How it works…
- processes / Processes
- running, in new context / Running new processes in a new context, How it works…, There's more...
Q
- qmgr process / Reducing exploit risks
R
- ranged daemon domain, resource-sensitivity labels / Ranged daemon domain
- read_file_perms / Patterns
- Red Hat
- URL / See also
- reference policy API documentation
- URL / See also
- reference policy project
- refpolicy interfaces
- calling / Calling refpolicy interfaces, How it works…
- refpolicy naming convention
- Remote_Host / There's more...
- Request_Method / There's more...
- Request_Protocol / There's more...
- Request_URI / There's more...
- resource-access interfaces
- resource-sensitivity labels
- setting / Setting resource-sensitivity labels, How to do it…, Full policy replacement, Constraints, See also
- full policy replacement / Full policy replacement
- ranged daemon domain / Ranged daemon domain
- constraints / Constraints
- resources
- finding / Finding common resources, How to do it…
- shared file locations / Shared file locations
- user content / User content and customizable types, There's more...
- customizable type / User content and customizable types, There's more...
- resource types
- selecting / Choosing resource types wisely, How to do it…
- domain definitions / Domain definitions
- logical resources / Logical resources
- infrastructural resources / Infrastructural resources
- restorecond / There's more...
- restore file
- Reverse Polish Notation (RPN) / How it works…
- role
- creating / Creating a new role, How to do it…
- defining, in policy / Defining a role in the policy
- configuring / Initial role based on entry, How to do it…, How it works…
- role, creating
- role, defining in policy / Defining a role in the policy
- role privileges, extending / Extending the role privileges
- default types / Default types and default contexts
- default contexts / Default types and default contexts
- role-based access
- group membership, using for / Using group membership for role-based access, How it works…
- role-based access control / About SELinux
- Role Based Access Control (RBAC) / How it works…
- role management / Role management
- role privileges
- extending / Extending the role privileges
- roles
- about / Introduction
- assigning, to users / Introduction
- switching / Switching roles, How it works…
- role transitions
- defining / Defining role transitions, How it works…
- runcon application / How it works…
- runcon command / Running Apache with the right context
- commands, running with / Running commands in a specified role with runcon, How it works…
- run interface
S
- sandbox environment, service / Sandbox environment
- search pattern
- selecting / Finding the right search pattern
- SECMARK labeling
- URL / See also
- Security-related features, logical architecture / The structural documentation
- Security Enhanced PostgreSQL (SEPostgreSQL) / Introduction
- sefinddef function / How to do it…, How it works…
- sefindif function / How to do it…, How it works…
- SELinux
- about / Introduction, About SELinux, Introduction
- example / The example
- analyzing / Identifying whether SELinux is to blame, How it works…
- capabilities, using with / Configuring capabilities instead of setuid binaries, How it works…
- cron, using with / Using cron with SELinux, How it works…, There's more…
- SELinux-aware applications
- chroot, used for / Using a different root location for SELinux-aware applications, How it works…
- handling / Introduction
- SELinux audit events
- references / See also
- SELinux constraints
- overview / Looking through SELinux constraints, How to do it…, How it works…
- references / See also
- SELinux module
- building / Building a simple SELinux module, Getting ready, How to do it…, How it works…, The binary policy module, There's more...
- policy source file, creating / The policy source file
- binary policy module, creating / The binary policy module
- policy, loading into policy store / Loading a policy into the policy store, There's more...
- SELinux policy
- about / The role of the SELinux policy
- Acceptable behavior / The role of the SELinux policy
- Expected behavior / The role of the SELinux policy
- Normalized behavior / The role of the SELinux policy
- enhancing, with file transitions / Enhancing an SELinux policy with file transitions, Getting ready, How it works…
- search pattern, selecting / Finding the right search pattern
- patterns / Patterns, There's more...
- neverallow statement, including in / How to do it…, How it works…
- SELinux policy, storing
- local/ / Creating the development environment
- centralized/ / Creating the development environment
- bin/ / Creating the development environment
- SELinux Policy IDE (SLIDE)
- about / Introduction
- URL / Introduction
- SELinux policy modules
- distributing / Distributing SELinux policy modules, How it works…, MLS or not
- interface changes / Changes in interfaces
- kernel version changes / Kernel version changes
- MLS-enabled system / MLS or not
- MLS-disabled system / MLS or not
- SELinux state
- SELinux subsystem, code wise
- interrogating / Interrogating the SELinux subsystem code-wise, How it works…, There's more...
- SELinux userland configuration
- querying, in C / Querying SELinux userland configuration in C, How it works…, There's more...
- SELinux users
- mapping / SELinux users and Linux user mappings
- managing / Managing SELinux users, How to do it…, How it works…
- Linux users, mapping to / Mapping Linux users to SELinux users, How to do it…
- SELINUX_AVD_FLAGS_PERMISSIVE flag / How it works…
- SELINUX_ERR messages
- analyzing / Getting ready, How it works…
- examples / How it works…
- semanage boolean command / How it works...
- semanage command / Getting ready
- semanage export command / How it works…
- semanage fcontext command / How it works…, How it works…
- semodule command / The policy source file, Loading a policy into the policy store
- sendmail command / Defining common helper domains
- sensitivity categories
- configuring / Configuring sensitivity categories, How to do it…, SELinux users and Linux user mappings, Running Apache with the right context
- mcstrans file / The mcstrans and setrans.conf files
- setrans.conf file / The mcstrans and setrans.conf files
- SELinux users, mapping / SELinux users and Linux user mappings
- Linux user, mapping / SELinux users and Linux user mappings
- Apache, running with right context / Running Apache with the right context
- sepolicy
- about / There's more...
- Server_Addr / There's more...
- service
- about / Understanding the service, How to do it…
- online research / Online research
- sandbox environment / Sandbox environment
- structural documentation / The structural documentation, See also
- service ownership
- restricting / Restricting service ownership, How it works…
- seshowdef function / How to do it…, How it works…
- seshowif function / How it works…
- setcon() method / There's more...
- setexecfilecon() method / There's more...
- setexec permission / How it works…
- setfiles command / How it works…
- setfscreatecon() method / There's more...
- setrans.conf file / The mcstrans and setrans.conf files
- setsebool command / How it works...
- SFTP chroots
- URL / See also
- shared file locations / Shared file locations
- shared memory / X11 and shared memory
- skeleton policy
- creating / Creating a skeleton policy, How to do it…, Type declarations, Managing files and directories, There's more...
- type declarations / Type declarations
- files, managing / Managing files and directories
- directories, managing / Managing files and directories
- X11 server / X11 and shared memory
- shared memory / X11 and shared memory
- network access / The network access
- smtpd daemon / Reducing exploit risks
- source address mapping
- used, for deciding on contexts / Using source address mapping to decide on contexts, There's more...
- ssh_sysadm_login / How it works…
- strace
- used, for clarifying permission issues / How to do it…, How it works…
- using, against daemons / How to do it…, How it works…
- reference / See also
- stream-connect interface
- creating / Creating a stream-connect interface
- creating, for Unix domain socket with socket file / For a Unix domain socket with a socket file
- creating, for abstract Unix domain socket / For an abstract Unix domain socket, How it works…
- structural documentation, service / The structural documentation, See also
- style guide, reference policy
- URL / There's more...
- substitution definitions
- sudo
- commands, running with / Running commands in a specified role with sudo, How it works…
- sudo application
- URL / See also
- sudo command / How it works…
- sVirt
- URL / See also
- Sysdig
- reference / See also
- system behavior
- auditing / Auditing system behavior, How it works…
- SystemTap
- reference / See also
T
- tail command / Getting ready
- targeted / Introduction
- templates
- used, for building application-specific domains / Building application-specific domains using templates, How it works…
- tor / There's more...
- transition interface
- transitions / Type inheritance and transitions
- Turnkey Linux
- URL / See also
- type declarations / Type declarations
- type enforcement / About SELinux
- type inheritance / Type inheritance and transitions
- type transition / Enhancing an SELinux policy with file transitions
U
- udev / There's more...
- udev's SELinux integration
- Unix domain socket, with socket file
- stream-connect interface, creating for / For a Unix domain socket with a socket file
- use cases
- policies, differentiating / Differentiating policies based on use cases, How it works…
- User Based Access Control (UBAC)
- about / Type declarations
- user content / User content and customizable types, There's more...
- sharing, with file ACLs / Sharing user content with file ACLs, How to do it…, How it works…, There's more...
- user directory support
- enabling / Enabling user directory support, How to do it…, There's more...
- userdom_admin_user_template / Defining a role in the policy
- userdom_base_user_template / Defining a role in the policy
- userdom_common_user_template / Defining a role in the policy
- userdom_login_user_template / Defining a role in the policy
- userdom_restricted_user_template / Defining a role in the policy
- userdom_unpriv_user_template / Defining a role in the policy
- user method / How it works…
- Users and rights, logical architecture / The structural documentation
- user space object managers / Introduction
V
- Vagrant
- URL / See also
- virtual hosts
- separating, with mod_selinux / Separating virtual hosts with mod_selinux, How it works...
W
- web applications
- about / Introduction
- web content types
- assigning / Assigning web content types, How it works, There's more...
- web server ports
X
- X11 server / X11 and shared memory
- XDGBDS
- URL / See also