Book Image

SELinux System Administration

By : Sven Vermeulen
Book Image

SELinux System Administration

By: Sven Vermeulen

Overview of this book

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.

Related Content you might be interested in

Current Title:

Small book image
SELinux System Administration
Sven Vermeulen
Sep, 2013 | 120 pages
No titles found
Table of Contents (13 chapters)
SELinux System Administration
SELinux System Administration
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Fundamental SELinux Concepts
Fundamental SELinux Concepts
Providing more security to Linux
Everything gets a label
Policies – the ultimate dictators
Summary
2
Understanding SELinux Decisions and Logging
Understanding SELinux Decisions and Logging
Disabling SELinux
SELinux on, SELinux off
SELinux logging and auditing
Summary
3
Managing User Logins
Managing User Logins
So, who am I?
SELinux users and roles
Jumping from one role to another
Getting in the right context
Summary
4
Process Domains and File-level Access Controls
Process Domains and File-level Access Controls
Reading and changing file contexts
The context of a process
Dealing with types, permissions, and constraints
Summary
5
Controlling Network Communications
Controlling Network Communications
TCP and UDP support
Integrating with Linux netfilter
Introducing labeled networking
Summary
6
Working with SELinux Policies
Working with SELinux Policies
Manipulating SELinux policies
Enhancing SELinux policies
Creating our own modules
Creating roles and user domains
Creating new application domains
Other uses of policy enhancements
Summary
Index
Index

So, who am I?

Once logged in to a system, our user will run inside a certain context. This user context defines the rights and privileges that we, as a user, have on the system. The command to obtain current user information, id, also supports SELinux context information. Try it out, and use the -Z switch as follows:

$ id -Z
unconfined_u:unconfined_r:unconfined_t

On SELinux systems with a targeted policy type, chances are very high that all users are logged in as unconfined_u (the first part of the context). On more restricted systems, the user can be user_u (regular restricted users), staff_u (operators), sysadm_u (system administrators), or any other of the SELinux user types.

The SELinux user defines the roles that the user can switch to, which themselves define the domains that the user (or his processes) can run in. By default, a fixed number of SELinux users are available on the system, but administrators can create different SELinux users. It is also the administrator’s task to assign...

Previous Section
End of Section 2
Next Section