Book Image

SELinux System Administration, Third Edition - Third Edition

By : Sven Vermeulen
Book Image

SELinux System Administration, Third Edition - Third Edition

By: Sven Vermeulen

Overview of this book

Linux is a dominant player in many organizations and in the cloud. Securing the Linux environment is extremely important for any organization, and Security-Enhanced Linux (SELinux) acts as an additional layer to Linux system security. SELinux System Administration covers basic SELinux concepts and shows you how to enhance Linux system protection measures. You will get to grips with SELinux and understand how it is integrated. As you progress, you’ll get hands-on experience of tuning and configuring SELinux and integrating it into day-to-day administration tasks such as user management, network management, and application maintenance. Platforms such as Kubernetes, system services like systemd, and virtualization solutions like libvirt and Xen, all of which offer SELinux-specific controls, will be explained effectively so that you understand how to apply and configure SELinux within these applications. If applications do not exert the expected behavior, you’ll learn how to fine-tune policies to securely host these applications. In case no policies exist, the book will guide you through developing custom policies on your own. By the end of this Linux book, you’ll be able to harden any Linux system using SELinux to suit your needs and fine-tune existing policies and develop custom ones to protect any app and service running on your Linux systems.

Related Content you might be interested in

Current Title:

Small book image
SELinux System Administration, Third Edition - Third Edition
Sven Vermeulen
Dec, 2020 | 458 pages
Small book image
Mastering Linux Administration
Alexandru Calcatinge | Julian Balog
Jun, 2021 | 772 pages
Small book image
Mastering Linux Security and Hardening
Donald A Tevault
Jan, 2018 | 376 pages
Small book image
Hands-On Linux Administration on Azure
Frederik Vos
Aug, 2018 | 410 pages
Table of Contents (22 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Using SELinux
Section 1: Using SELinux
Free Chapter
2
Chapter 1: Fundamental SELinux Concepts
Chapter 1: Fundamental SELinux Concepts
Technical requirements
Providing more security for Linux
Labeling all resources and objects
Defining and distributing policies
Distinguishing between policies
Summary
Questions
3
Chapter 2: Understanding SELinux Decisions and Logging
Chapter 2: Understanding SELinux Decisions and Logging
Technical requirements
Switching SELinux on and off
SELinux logging and auditing
Getting help with denials
Summary
Questions
4
Chapter 3: Managing User Logins
Chapter 3: Managing User Logins
Technical requirements
User-oriented SELinux contexts
SELinux users and roles
Handling SELinux roles
SELinux and PAM
Summary
Questions
5
Chapter 4: Using File Contexts and Process Domains
Chapter 4: Using File Contexts and Process Domains
Technical requirements
Introduction to SELinux file contexts
Keeping or ignoring contexts
SELinux file context expressions
Modifying file contexts
The context of a process
Limiting the scope of transitions
Types, permissions, and constraints
Summary
Questions
6
Chapter 5: Controlling Network Communications
Chapter 5: Controlling Network Communications
Technical requirements
Controlling process communications
Linux firewalling and SECMARK support
Securing high-speed InfiniBand networks
Understanding labeled networking
Using labeled IPsec with SELinux
Supporting CIPSO with NetLabel and SELinux
Summary
Questions
7
Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration
Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration
Technical requirements
Introducing the target settings and policies
Using Ansible for SELinux system administration
Utilizing SaltStack to configure SELinux
Automating system management with Puppet
Wielding Chef for system automation
Summary
Questions
8
Section 2: SELinux-Aware Platforms
Section 2: SELinux-Aware Platforms
9
Chapter 7: Configuring Application-Specific SELinux Controls
Chapter 7: Configuring Application-Specific SELinux Controls
Technical requirements
Tuning systemd services, logging, and device management
Communicating over D-Bus
Configuring PAM services
Using mod_selinux with Apache
Summary
Questions
10
Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux
Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux
Technical requirements
Introducing PostgreSQL and sepgsql
Understanding SELinux's database-specific object classes and permissions
Using MCS and MLS
Integrating SEPostgreSQL into the network
Summary
Questions
11
Chapter 9: Secure Virtualization
Chapter 9: Secure Virtualization
Technical requirements
Understanding SELinux-secured virtualization
Enhancing libvirt with SELinux support
Using Vagrant with libvirt
Summary
Questions
12
Chapter 10: Using Xen Security Modules with FLASK
Chapter 10: Using Xen Security Modules with FLASK
Technical requirements
Understanding Xen and XSM
Running XSM-enabled Xen
Applying custom XSM policies
Summary
Questions
13
Chapter 11: Enhancing the Security of Containerized Workloads
Chapter 11: Enhancing the Security of Containerized Workloads
Technical requirements
Using SELinux with systemd's container support
Configuring podman
Leveraging Kubernetes' SELinux support
Summary
Questions
14
Section 3: Policy Management
Section 3: Policy Management
15
Chapter 12: Tuning SELinux Policies
Chapter 12: Tuning SELinux Policies
Technical requirements
Working with SELinux booleans
Handling policy modules
Replacing and updating existing policies
Summary
Questions
16
Chapter 13: Analyzing Policy Behavior
Chapter 13: Analyzing Policy Behavior
Technical requirements
Performing single-step analysis
Investigating domain transitions
Analyzing information flow
Comparing policies
Summary
Questions
17
Chapter 14: Dealing with New Applications
Chapter 14: Dealing with New Applications
Technical requirements
Running applications without restrictions
Using sandboxed applications
Assigning common policies to new applications
Extending generated policies
Summary
Questions
18
Chapter 15: Using the Reference Policy
Chapter 15: Using the Reference Policy
Technical requirements
Introducing the reference policy
Using and understanding the policy macros
Creating application-level policies
Adding user-level policies
Getting help with supporting tools
Summary
Questions
19
Chapter 16: Developing Policies with SELinux CIL
Chapter 16: Developing Policies with SELinux CIL
Technical requirements
Introducing CIL
Creating fine-grained definitions
Building complete application policies
Summary
Questions
20
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
21
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

What this book covers

Chapter 1, Fundamental SELinux Concepts, provides fundamental insights into the SELinux technology and allows you to understand the differences between SELinux implementations.

Chapter 2, Understanding SELinux Decisions and Logging, teaches you how to analyze SELinux events, and how to configure system logging to facilitate SELinux troubleshooting.

Chapter 3, Managing User Logins, allows you to manage Linux users and associate them with the right SELinux context.

Chapter 4, Using File Contexts and Process Domains, explains how SELinux labels are exposed on the system, and how to change the SELinux context of files and resources.

Chapter 5, Controlling Network Communications, introduces SELinux access control protections on a network level, ranging from socket-based protection measures to packet filtering with SELinux.

Chapter 6, Configuring SELinux through Infrastructure-as-Code Orchestration, shows you how to configure SELinux settings across large-scale environments using automation and orchestration tooling.

Chapter 7, Configuring Application-Specific SELinux Controls, explains how SELinux is adopted by several applications to augment their security posture further.

Chapter 8, SEPostgreSQL – Extending PostgreSQL with SELinux, helps you learn how to enable SEPostgreSQL in a regular PostgreSQL deployment, and how to use the SELinux controls within the database engine.

Chapter 9, Secure Virtualization, uses libvirt and other virtualization technologies together with SELinux to further protect and isolate virtual guests from each other.

Chapter 10, Using Xen Security Modules with FLASK, teaches you how Xen uses an SELinux-like approach to isolate its guests using Xen Security Modules, and how administrators can tweak and tune isolation further.

Chapter 11, Enhancing the Security of Containerized Workloads, shows how container platforms such as Docker, podman, and Kubernetes use SELinux as a means to secure the host system from potentially untrusted containers and provide isolation between containers.

Chapter 12, Tuning SELinux Policies, expands on SELinux booleans and their effect on the system and shows how to deal with different SELinux policy modules.

Chapter 13, Analyzing Policy Behavior, explains how administrators and analysts can interpret the SELinux policy and use policy analysis tooling to learn what a policy will allow.

Chapter 14, Dealing with New Applications, informs you how to apply SELinux on new applications that are not yet supported by the current SELinux policies.

Chapter 15, Using the Reference Policy, explains how to use the reference policy to create and adjust SELinux policies.

Chapter 16, Developing Policies with SELinux CIL, introduces you to the Common Intermediate Language and how to apply it to develop custom policies.

Previous Section
Next Section