Book Image

SELinux System Administration

By : Sven Vermeulen
Book Image

SELinux System Administration

By: Sven Vermeulen

Overview of this book

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.

Related Content you might be interested in

Current Title:

Small book image
SELinux System Administration
Sven Vermeulen
Sep, 2013 | 120 pages
No titles found
Table of Contents (13 chapters)
SELinux System Administration
SELinux System Administration
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Fundamental SELinux Concepts
Fundamental SELinux Concepts
Providing more security to Linux
Everything gets a label
Policies – the ultimate dictators
Summary
2
Understanding SELinux Decisions and Logging
Understanding SELinux Decisions and Logging
Disabling SELinux
SELinux on, SELinux off
SELinux logging and auditing
Summary
3
Managing User Logins
Managing User Logins
So, who am I?
SELinux users and roles
Jumping from one role to another
Getting in the right context
Summary
4
Process Domains and File-level Access Controls
Process Domains and File-level Access Controls
Reading and changing file contexts
The context of a process
Dealing with types, permissions, and constraints
Summary
5
Controlling Network Communications
Controlling Network Communications
TCP and UDP support
Integrating with Linux netfilter
Introducing labeled networking
Summary
6
Working with SELinux Policies
Working with SELinux Policies
Manipulating SELinux policies
Enhancing SELinux policies
Creating our own modules
Creating roles and user domains
Creating new application domains
Other uses of policy enhancements
Summary
Index
Index

Creating roles and user domains

One of the best features of SELinux is its ability to confine end users and only grant them the rights they need to do their job. To accomplish this, we need to create a restricted user domain that these users should use (either immediately, or after switching from their standard role to the more privileged role).

Such user domains and roles need to be created through SELinux policy enhancements. These enhancements, however, require a deep understanding of the available permission checks, reference policy macros and more, which one can only obtain through experience (or assistance). Still, that shouldn't prevent us from giving a working example of how to create a special end user role and domain for the PostgreSQL administration.

The pgsql_admin role and user

First, let us look at the file. Each line is commented to explain why the various methods are used as follows:

policy_module(pgsql_admin, 1.0)
# Define the pgsql_admin_r role
role pgsql_admin_r;
# Create...
Previous Section
End of Section 5
Next Section