SELinux System Administration电子书

SELinux System Administration

Table of Contents

SELinux System Administration

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Fundamental SELinux Concepts

Providing more security to Linux

Linux security modules to the rescue

SELinux versus regular DAC

Restricting root privileges

Enabling SELinux – not just a switch

Everything gets a label

The context fields

SELinux types

SELinux roles

SELinux users

Sensitivity labels

Policies – the ultimate dictators

SELinux policy store names and options

MLS status

Dealing with unknown permissions

Supporting unconfined domains

User-based access control

Policies across distributions

MCS versus MLS

Policy binaries

SELinux policy modules

Summary

2. Understanding SELinux Decisions and Logging

Disabling SELinux

SELinux on, SELinux off

Switching to permissive (or enforcing) temporarily

Using kernel boot parameters

Disabling SELinux protections for a single service

Applications that "speak" SELinux

SELinux logging and auditing

Configuring SELinux' log destination

Reading SELinux denials

Uncovering more denials

Getting help with denials

setroubleshoot to the rescue

Using audit2why

Using common sense

Summary

3. Managing User Logins

So, who am I?

The rationale behind unconfined

SELinux users and roles

We all are one SELinux user

Creating additional users

Limiting access based on confidentiality

Jumping from one role to another

Full role switching with newrole

Managing role access with sudo

Switching to the system role

The runcon user application

Getting in the right context

Context switching during authentication

Application-based contexts

Summary

4. Process Domains and File-level Access Controls

Reading and changing file contexts

Getting context information

Working with context expressions

Setting context information

Using customizable types

Inheriting the context

Placing categories on files and directories

The context of a process

Transitioning towards a domain

Other supported transitions

Working with mod_selinux

Dealing with types, permissions, and constraints

Type attributes

Querying domain permissions

Understanding constraints

Summary

5. Controlling Network Communications

TCP and UDP support

Labeling ports

Integrating with Linux netfilter

Packet labeling through netfilter

Assigning labels to packets

Differentiating between server and client communication

Introducing labeled networking

Common labeling approach

Limiting flows based on the network interface

Accepting communication from selected hosts

Verifying peer-to-peer flow

Example – labeled IPSec

Setting up regular IPSec

Enabling labeled IPSec

About NetLabel/CIPSO

Summary

6. Working with SELinux Policies

Manipulating SELinux policies

Overview of SELinux Booleans

Changing Boolean values

Inspecting the impact of Boolean

Enhancing SELinux policies

Handling SELinux policy modules

Troubleshooting using audit2allow

Using refpolicy macros

Using selocal

Creating our own modules

Building native modules

Building reference policy modules

Creating roles and user domains

The pgsql_admin role and user

Creating the user rights

Shell access

Creating new application domains

An example application domain

Creating interfaces

Other uses of policy enhancements

Creating customized SECMARK types

Using different interfaces and nodes

Auditing access attempts

Creating customizable types

Summary

Index