SELinux Cookbook电子书

SELinux Cookbook

Table of Contents

SELinux Cookbook

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. The SELinux Development Environment

Introduction

About SELinux

The role of the SELinux policy

The example

Creating the development environment

Getting ready

How to do it…

How it works…

There's more...

See also

Building a simple SELinux module

Getting ready

How to do it…

How it works…

The policy source file

The binary policy module

Loading a policy into the policy store

There's more...

See also

Calling refpolicy interfaces

How to do it…

How it works…

See also

Creating our own interface

How to do it…

How it works…

The location of the interface definitions

The in-line documentation

See also

Using the refpolicy naming convention

Getting ready

How to do it…

How it works…

There's more...

Distributing SELinux policy modules

How to do it…

How it works…

Changes in interfaces

Kernel version changes

MLS or not

2. Dealing with File Labels

Introduction

Defining file contexts through patterns

How to do it…

How it works…

Path expressions

The order of processing

Class identifiers

Context declaration

There's more...

Using substitution definitions

Getting ready

How to do it…

How it works…

There's more...

See also

Enhancing an SELinux policy with file transitions

Getting ready

How to do it…

How it works…

Finding the right search pattern

Patterns

There's more...

See also

Setting resource-sensitivity labels

How to do it…

How it works…

Full policy replacement

Ranged daemon domain

Constraints

See also

Configuring sensitivity categories

Getting ready

How to do it…

How it works…

The mcstrans and setrans.conf files

SELinux users and Linux user mappings

Running Apache with the right context

See also

3. Confining Web Applications

Introduction

Listing conditional policy support

How to do it…

How it works...

See also

Enabling user directory support

Getting ready

How to do it…

How it works...

There's more...

See also

Assigning web content types

How to do it…

How it works

There's more...

Using different web server ports

How to do it…

How it works...

There's more...

See also

Using custom content types

Getting ready

How to do it…

How it works...

There's more...

Creating a custom CGI domain

How to do it…

How it works...

Setting up mod_selinux

How to do it…

How it works...

See also

Starting Apache with limited clearance

How to do it…

How it works...

There's more...

Mapping HTTP users to contexts

How to do it…

How it works...

Using source address mapping to decide on contexts

How to do it…

How it works...

There's more...

See also

Separating virtual hosts with mod_selinux

How to do it…

How it works...

See also

4. Creating a Desktop Application Policy

Introduction

Researching the application's logical design

How to do it…

How it works…

Files and directories

Network resources

Processes

Hardware and kernel resources

Creating a skeleton policy

How to do it…

How it works…

Type declarations

Managing files and directories

X11 and shared memory

The network access

There's more...

See also

Setting context definitions

How to do it…

How it works…

Defining application role interfaces

How to do it…

How it works…

There's more...

Testing and enhancing the policy

How to do it…

How it works…

Ignoring permissions we don't need

How to do it…

How it works…

Creating application resource interfaces

How to do it…

How it works…

Adding conditional policy rules

How to do it…

How it works…

There's more...

Adding build-time policy decisions

How to do it…

How it works…

There's more...

5. Creating a Server Policy

Introduction

Understanding the service

How to do it…

How it works…

Online research

Sandbox environment

The structural documentation

See also

Choosing resource types wisely

How to do it…

How it works…

Domain definitions

Logical resources

Infrastructural resources

Differentiating policies based on use cases

How to do it…

How it works…

Creating resource-access interfaces

How to do it…

How it works…

Creating exec, run, and transition interfaces

How to do it…

How it works…

See also

Creating a stream-connect interface

How to do it…

For a Unix domain socket with a socket file

For an abstract Unix domain socket

How it works…

Creating the administrative interface

How to do it…

How it works…

See also

6. Setting Up Separate Roles

Introduction

Managing SELinux users

How to do it…

How it works…

There's more...

Mapping Linux users to SELinux users

How to do it…

How it works…

Running commands in a specified role with sudo

How to do it…

How it works…

See also

Running commands in a specified role with runcon

How to do it…

How it works…

Switching roles

How to do it…

How it works…

Creating a new role

How to do it…

How it works…

Defining a role in the policy

Extending the role privileges

Default types and default contexts

Initial role based on entry

How to do it…

How it works…

Defining role transitions

How to do it…

How it works…

Looking into access privileges

How to do it…

How it works…

Direct access inspection

Policy manipulation

Indirect access

7. Choosing the Confinement Level

Introduction

Finding common resources

How to do it…

How it works…

Shared file locations

User content and customizable types

There's more...

Defining common helper domains

How to do it…

How it works…

Documenting common privileges

How to do it…

How it works…

Granting privileges to all clients

How to do it…

How it works…

Creating a generic application domain

How to do it…

How it works…

Building application-specific domains using templates

How to do it…

How it works…

Using fine-grained application domain definitions

How to do it…

How it works…

Reducing exploit risks

Role management

Type inheritance and transitions

8. Debugging SELinux

Introduction

Identifying whether SELinux is to blame

How to do it…

How it works…

See also

Analyzing SELINUX_ERR messages

Getting ready

How to do it…

How it works…

Invalid contexts

Denied transition validation

Denied security-bounded transitions

There's more...

See also

Logging positive policy decisions

How to do it…

How it works…

Looking through SELinux constraints

How to do it…

How it works…

See also

Ensuring an SELinux rule is never allowed

How to do it…

How it works…

Using strace to clarify permission issues

How to do it…

How it works…

Using strace against daemons

How to do it…

How it works…

There's more...

See also

Auditing system behavior

How to do it…

How it works…

There's more...

See also

9. Aligning SELinux with DAC

Introduction

Assigning a different root location to regular services

Getting ready

How to do it…

How it works…

There's more...

See also

Using a different root location for SELinux-aware applications

How to do it…

How it works…

See also

Sharing user content with file ACLs

How to do it…

How it works…

There's more...

Enabling polyinstantiated directories

How to do it…

How it works…

There's more...

Configuring capabilities instead of setuid binaries

How to do it…

How it works…

See also

Using group membership for role-based access

How to do it…

How it works…

Backing up and restoring files

How to do it…

How it works…

Governing application network access

How to do it…

How it works…

See also

10. Handling SELinux-aware Applications

Introduction

Controlling D-Bus message flows

Getting ready

How to do it…

How it works…

There's more...

Restricting service ownership

How to do it…

How it works…

There's more...

Understanding udev's SELinux integration

How to do it…

How it works…

Using cron with SELinux

How to do it…

How it works…

There's more…

Checking the SELinux state programmatically

Getting ready

How to do it…

How it works…

There's more...

Querying SELinux userland configuration in C

How to do it…

How it works…

There's more...

Interrogating the SELinux subsystem code-wise

Getting ready

How to do it…

How it works…

There's more...

Running new processes in a new context

Getting ready

How to do it…

How it works…

There's more...

Reading the context of a resource

How to do it…

How it works…

There's more...

Index