Book Image

SELinux System Administration

By : Sven Vermeulen
Book Image

SELinux System Administration

By: Sven Vermeulen

Overview of this book

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.
Table of Contents (13 chapters)

Getting in the right context


With all the information about SELinux users and roles, we still haven’t touched how we get our context when we log in, or how we can change the type in the context.

Context switching during authentication

Traditionally, we log in to a Linux system through either a login process (triggered through a getty process) in case of a command-line login, a certain service (for example, the OpenSSH daemon), or through a graphical login manager (xdm, kdm, gdm, slim, and so on).

These services are responsible for switching our effective user ID (upon successful authentication of course) so that we are not logged on to the system as the root user. In case of SELinux systems, these processes also need to switch the SELinux user (and role) accordingly.

In theory, all these applications can be made fully SELinux aware, consulting the information we entered through semanage user and semanage login. But instead of converting all these applications, the developers decided to take...