Book Image

SELinux System Administration

By : Sven Vermeulen
Book Image

SELinux System Administration

By: Sven Vermeulen

Overview of this book

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.
Table of Contents (13 chapters)

Creating new application domains


By default, Linux distributions come with many prepackaged application domains. However, we will most likely come across situations where we need to build our own application policy.

Building such a policy can be to allow a particular application to run without SELinux protections (by marking the domain as a permissive domain) or perhaps with more controls that are currently in place.

Unlike users and roles, application domains usually have file context-related information with them.

An example application domain

The following SELinux policy is for mojomojo, an open source, catalyst-based wiki. The code is pretty light in weight as it is a web application. Thus, calling a template for the web server module (apache_content_template) that provides most of the rules already:

policy_module(mojomojo, 1.1.0)
# Create all types based on the apache content template
apache_content_template(mojomojo)
# Needed by the mojomojo application
allow httpd_mojomojo_script_t httpd_t...