Book Image

SELinux System Administration

By : Sven Vermeulen
Book Image

SELinux System Administration

By: Sven Vermeulen

Overview of this book

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.

Related Content you might be interested in

Current Title:

Small book image
SELinux System Administration
Sven Vermeulen
Sep, 2013 | 120 pages
No titles found
Table of Contents (13 chapters)
SELinux System Administration
SELinux System Administration
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Fundamental SELinux Concepts
Fundamental SELinux Concepts
Providing more security to Linux
Everything gets a label
Policies – the ultimate dictators
Summary
2
Understanding SELinux Decisions and Logging
Understanding SELinux Decisions and Logging
Disabling SELinux
SELinux on, SELinux off
SELinux logging and auditing
Summary
3
Managing User Logins
Managing User Logins
So, who am I?
SELinux users and roles
Jumping from one role to another
Getting in the right context
Summary
4
Process Domains and File-level Access Controls
Process Domains and File-level Access Controls
Reading and changing file contexts
The context of a process
Dealing with types, permissions, and constraints
Summary
5
Controlling Network Communications
Controlling Network Communications
TCP and UDP support
Integrating with Linux netfilter
Introducing labeled networking
Summary
6
Working with SELinux Policies
Working with SELinux Policies
Manipulating SELinux policies
Enhancing SELinux policies
Creating our own modules
Creating roles and user domains
Creating new application domains
Other uses of policy enhancements
Summary
Index
Index

Jumping from one role to another

Although we can be assigned with multiple roles, we still need to switch roles based on our needs. SELinux supports multiple methods for switching roles and sensitivities or launching applications in specific categories.

Full role switching with newrole

The SELinux newrole application can be used to transition from one role to another. Consider an SELinux system without unconfined domains, and where we are by default logged in as the staff_r role. In order to perform administrative tasks, we need to switch to the sysadm_r administrative role, which we can do with newrole.

If the SELinux user we are mapped to (for example, sysadm_u) is allowed to access the specified role (in the example, sysadm_r), then our context is changed from the previous role to the new one. Usually, this also changes the user domain.

Let’s check our current context, change our role, and then check the context again to ensure that we properly switched to our role as follows:

$ id -Z
staff_u...
Previous Section
End of Section 4
Next Section