Book Image

SELinux System Administration

By : Sven Vermeulen
Book Image

SELinux System Administration

By: Sven Vermeulen

Overview of this book

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.
Table of Contents (13 chapters)

The context of a process


As everything in SELinux works with labels, even processes are assigned a label, also known as the domain. If a label is absent (or invalid), SELinux will show the process as unlabeled_t. We saw that the Apache web server runs in the httpd_t domain, which can be seen with the ps -Z command as follows:

# ps -eZ | grep httpd
system_u:system_r:httpd_t:s0 2270 ?        00:00:00 httpd

The Apache processes don't inform SELinux themselves that they need to run in the httpd_t domain. For that, transition rules in SELinux exist.

Transitioning towards a domain

Just as we did with files, if a process forks and creates a new process, this process inherits the context of the parent process. In case of the web server, the main process is in the httpd_t domain, so all the worker processes that are launched inherit the httpd_t domain from it.

In order to differentiate one process from another, domain transitions can be defined. A domain transition (also known as a process transition...