售 价:¥
温馨提示:数字商品不支持退换货,不提供源文件,不支持导出打印
为你推荐
SELinux System Administration - Second Edition
SELinux System Administration - Second Edition
Credits
About the Author
About the Reviewers
www.PacktPub.com
Why subscribe?
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. Fundamental SELinux Concepts
Providing more security to Linux
Using Linux security modules
Extending regular DAC with SELinux
Restricting root privileges
Reducing the impact of vulnerabilities
Enabling SELinux support
Labeling all resources and objects
Dissecting the SELinux context
Enforcing access through types
Granting domain access through roles
Limiting roles through users
Controlling information flow through sensitivities
Defining and distributing policies
Writing SELinux policies
Distributing policies through modules
Bundling modules in a policy store
Distinguishing between policies
Supporting MLS
Dealing with unknown permissions
Supporting unconfined domains
Limiting cross-user sharing
Incrementing policy versions
Different policy content
Summary
2. Understanding SELinux Decisions and Logging
Switching SELinux on and off
Setting the global SELinux state
Switching to permissive (or enforcing) mode
Using kernel boot parameters
Disabling SELinux protections for a single service
Understanding SELinux-aware applications
SELinux logging and auditing
Following audit events
Uncovering more logging
Configuring Linux auditing
Configuring the local system logger
Reading SELinux denials
Other SELinux-related event types
USER_AVC
SELINUX_ERR
MAC_POLICY_LOAD
MAC_CONFIG_CHANGE
MAC_STATUS
NetLabel events
Labeled IPsec events
Using ausearch
Getting help with denials
Troubleshooting with setroubleshoot
Sending e-mails when SELinux denials occur
Using audit2why
Interacting with systemd-journal
Using common sense
Summary
3. Managing User Logins
User-oriented SELinux contexts
Understanding domain complexity
Querying for unconfined domains
SELinux users and roles
Listing SELinux user mappings
Mapping logins to SELinux users
Customizing logins towards services
Creating SELinux users
Listing accessible domains
Managing categories
Handling SELinux roles
Defining allowed SELinux contexts
Validating contexts with getseuser
Switching roles with newrole
Managing role access through sudo
Reaching other domains using runcon
Switching to the system role
SELinux and PAM
Assigning contexts through PAM
Prohibiting access during permissive mode
Polyinstantiating directories
Summary
4. Process Domains and File-Level Access Controls
About SELinux file contexts
Getting context information
Interpreting SELinux context types
Keeping or ignoring contexts
Inheriting the default context
Querying transition rules
Copying and moving files
Temporarily changing file contexts
Placing categories on files and directories
Using multilevel security on files
Backing up and restoring extended attributes
Using mount options to set SELinux contexts
SELinux file context expressions
Using context expressions
Registering file context changes
Using customizable types
Compiling the different file_contexts files
Exchanging local modifications
Modifying file contexts
Using setfiles, rlpkg, and fixfiles
Relabeling the entire file system
Automatically setting contexts with restorecond
The context of a process
Getting a process context
Transitioning towards a domain
Verifying a target context
Other supported transitions
Querying initial contexts
Limiting the scope of transitions
Sanitizing environments on transition
Disabling unconstrained transitions
Using Linux's NO_NEW_PRIVS
Types, permissions, and constraints
Understanding type attributes
Querying domain permissions
Learning about constraints
Summary
5. Controlling Network Communications
From IPC to TCP and UDP sockets
Using shared memory
Communicating locally through pipes
Conversing over UNIX domain sockets
Understanding netlink sockets
Dealing with TCP and UDP sockets
Listing connection contexts
Linux netfilter and SECMARK support
Introducing netfilter
Implementing security markings
Assigning labels to packets
Labeled networking
Fallback labeling with NetLabel
Limiting flows based on the network interface
Accepting peer communication from selected hosts
Verifying peer-to-peer flow
Using old-style controls
Labeled IPsec
Setting up regular IPsec
Enabling labeled IPsec
Using Libreswan
NetLabel/CIPSO
Configuring CIPSO mappings
Adding domain-specific mappings
Using local CIPSO definitions
Supporting IPv6 CALIPSO
Summary
6. sVirt and Docker Support
SELinux-secured virtualization
Introducing virtualization
Reviewing the risks of virtualization
Using nondynamic security models
Reusing existing virtualization domains
Understanding MCS
libvirt SELinux support
Differentiating between shared and dedicated resources
Assessing the libvirt architecture
Configuring libvirt for sVirt
Using static labels
Customizing labels
Using different storage pool locations
Interpreting output-only label information
Controlling available categories
Limiting supported hosts in a cluster
Modifying default contexts
Securing Docker containers
Understanding container security
Controlling non-sVirt Docker SELinux integration
Aligning Docker security with sVirt
Limiting container capabilities
Using different SELinux contexts
Relabeling volume mounts
Lowering SELinux controls for specific containers
Modifying default contexts
Summary
7. D-Bus and systemd
The system daemon (systemd)
Service support in systemd
Understanding unit files
Setting the SELinux context for a service
Using transient services
Requiring SELinux for a service
Relabeling files during service startup
Using socket-based activation
Governing unit operations access
Logging with systemd
Retrieving SELinux-related information
Querying logs given a SELinux context
Using setroubleshoot integration with journal
Using systemd containers
Initializing a systemd container
Using a specific SELinux context
Handling device files
Using udev rules
Setting a SELinux label on a device node
D-Bus communication
Understanding D-Bus
Controlling service acquisition with SELinux
Governing message flows
Summary
8. Working with SELinux Policies
SELinux booleans
Listing SELinux booleans
Changing boolean values
Inspecting the impact of a boolean
Enhancing SELinux policies
Listing policy modules
Loading and removing policy modules
Creating policies using audit2allow
Using sensible module names
Using refpolicy macros with audit2allow
Using selocal
Creating custom modules
Building SELinux native modules
Building reference policy modules
Building CIL policy modules
Adding file context definitions
Creating roles and user domains
Creating the pgsql_admin.te file
Creating the user rights
Granting interactive shell access
Generating skeleton user policy files
Creating new application domains
Creating the mojomojo.* files
Creating policy interfaces
Generating skeleton application policy files
Replacing existing policies
Replacing RHEL policies
Replacing Gentoo policies
Other uses of policy enhancements
Creating customized SECMARK types
Auditing access attempts
Creating customizable types
Summary
9. Analyzing Policy Behavior
Single-step analysis
Using different SELinux policy files
Displaying policy object information
Understanding sesearch
Querying allow rules
Querying type transition rules
Querying other type rules
Querying role related rules
Browsing with apol
Domain transition analysis
Using apol for domain transition analysis
Using sedta for domain transition analysis
Information flow analysis
Using apol for information flow analysis
Using seinfoflow for information flow analysis
Other policy analysis
Comparing policies with sediff
Analyzing policies with sepolicy
Summary
10. SELinux Use Cases
Hardening web servers
Describing the situation
Configuring for a multi-instance setup
Creating the SELinux categories
Choosing the right contexts
Enabling administrative accounts
Handling web server behavior
Dealing with content updates
Tuning the network and firewall rules
Securing shell services
Splitting SSH over multiple instances
Updating the network rules
Configuring for chrooted access
Associating SELinux mappings based on access
Tuning SSH SELinux rules
Enabling multi-tenancy on the user level
File sharing through NFS
Setting up basic NFS
Enabling NFS support
Tuning the NFS SELinux rules
Using context mounts
Working with labeled NFS
Comparing Samba with NFS
Summary
买过这本书的人还买过
读了这本书的人还在读
同类图书排行榜