Book Image

SELinux System Administration, Third Edition - Third Edition

By : Sven Vermeulen
Book Image

SELinux System Administration, Third Edition - Third Edition

By: Sven Vermeulen

Overview of this book

Linux is a dominant player in many organizations and in the cloud. Securing the Linux environment is extremely important for any organization, and Security-Enhanced Linux (SELinux) acts as an additional layer to Linux system security. SELinux System Administration covers basic SELinux concepts and shows you how to enhance Linux system protection measures. You will get to grips with SELinux and understand how it is integrated. As you progress, you’ll get hands-on experience of tuning and configuring SELinux and integrating it into day-to-day administration tasks such as user management, network management, and application maintenance. Platforms such as Kubernetes, system services like systemd, and virtualization solutions like libvirt and Xen, all of which offer SELinux-specific controls, will be explained effectively so that you understand how to apply and configure SELinux within these applications. If applications do not exert the expected behavior, you’ll learn how to fine-tune policies to securely host these applications. In case no policies exist, the book will guide you through developing custom policies on your own. By the end of this Linux book, you’ll be able to harden any Linux system using SELinux to suit your needs and fine-tune existing policies and develop custom ones to protect any app and service running on your Linux systems.
Table of Contents (22 chapters)
1
Section 1: Using SELinux
8
Section 2: SELinux-Aware Platforms
14
Section 3: Policy Management

Introducing CIL

CIL has been designed to be the main language to have policies built in, and is the lowest readable format. After CIL, the SELinux code is transformed in binary to send off to the Linux kernel (and SELinux subsystem) for loading in memory.

Administrators might be inclined to think that the binary files, generated when building a SELinux policy module using the reference policy method, are the final binaries. However, as we've seen in Chapter 1, Fundamental SELinux Concepts, the semodule command converts and translates this into CIL before building the final format.

Let's see how these translations work and what we can learn from them.

Translating .pp files to CIL

When a non-CIL SELinux policy module is loaded, the semodule command is designed to first consider the module as an unknown format, and extract the High Level Language (HLL) information from it. HLL is an abstract term that the SELinux utilities use to define any SELinux source format...