Book Image

SELinux System Administration

By : Sven Vermeulen
Book Image

SELinux System Administration

By: Sven Vermeulen

Overview of this book

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.
Table of Contents (13 chapters)

TCP and UDP support


When we confine network facing services, for example, web servers or database servers, we not only focus on the file-based restrictions and process capabilities, but also what network activities the services are allowed to do. Many database servers should not be able to initiate a connection themselves to other systems and, if they do, these connections should be limited to the expected services (like other database services).

The first approach on limiting this is to define what sockets a process is allowed to bind on (as a service) or connect to (as a client). In the majority of cases, the sockets are either TCP sockets or UDP sockets. In SELinux, these are mapped to the tcp_socket and udp_socket classes.

Labeling ports

In order to easily map SELinux domain accesses to the TCP or UDP ports, SELinux allows administrators to label these ports and define which domains can access what ports. When a domain tries to connect or bind to a port, the name_connect or name_bind permissions...