Book Image

SELinux System Administration

By : Sven Vermeulen
Book Image

SELinux System Administration

By: Sven Vermeulen

Overview of this book

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.

Related Content you might be interested in

Current Title:

Small book image
SELinux System Administration
Sven Vermeulen
Sep, 2013 | 120 pages
No titles found
Table of Contents (13 chapters)
SELinux System Administration
SELinux System Administration
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Fundamental SELinux Concepts
Fundamental SELinux Concepts
Providing more security to Linux
Everything gets a label
Policies – the ultimate dictators
Summary
2
Understanding SELinux Decisions and Logging
Understanding SELinux Decisions and Logging
Disabling SELinux
SELinux on, SELinux off
SELinux logging and auditing
Summary
3
Managing User Logins
Managing User Logins
So, who am I?
SELinux users and roles
Jumping from one role to another
Getting in the right context
Summary
4
Process Domains and File-level Access Controls
Process Domains and File-level Access Controls
Reading and changing file contexts
The context of a process
Dealing with types, permissions, and constraints
Summary
5
Controlling Network Communications
Controlling Network Communications
TCP and UDP support
Integrating with Linux netfilter
Introducing labeled networking
Summary
6
Working with SELinux Policies
Working with SELinux Policies
Manipulating SELinux policies
Enhancing SELinux policies
Creating our own modules
Creating roles and user domains
Creating new application domains
Other uses of policy enhancements
Summary
Index
Index

Dealing with types, permissions, and constraints

Now that we know more about types (both in the context of processes as well as files and other resources), let's look into how these are used in the SELinux policy in more detail.

Type attributes

We have discussed the sesearch application already and how it can be used to query the current SELinux policy. Let us look again at the process transitions, this time on a Fedora system:

$ sesearch -s initrc_t -t httpd_t -c process -p transition -A
Found 1 semantic av rules:
   allow initrc_domain daemon : process transition ;

Even though we asked for the rules related to the initrc_t source and the httpd_t target, we get a rule back for the initrc_domain source and the daemon target. What sesearch did here was it told us a privilege of initrc_t based on a privilege assigned to an attribute.

Type attributes in SELinux are used to group multiple types and assign privileges on these groups, rather than having to assign the privileges on each type individually...

Previous Section
End of Section 4
Next Section