eBook - ePub
SELinux System Administration
Sven Vermeulen
This is a test
Share book
- 120 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
SELinux System Administration
Sven Vermeulen
Book details
Book preview
Table of contents
Citations
About This Book
In Detail
NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure.
SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book.
This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across.
By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.
Approach
A step-by-step guide to learn how to set up security on Linux servers by taking SELinux policies into your own hands.
Who this book is for
Linux administrators will enjoy the various SELinux features that this book covers and the approach used to guide the admin into understanding how SELinux works. The book assumes that you have basic knowledge in Linux administration, especially Linux permission and user management.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is SELinux System Administration an online PDF/ePUB?
Yes, you can access SELinux System Administration by Sven Vermeulen in PDF and/or ePUB format, as well as other popular books in Computer Science & System Administration. We have over one million books available in our catalogue for you to explore.
Information
SELinux System Administration
Table of Contents
SELinux System Administration
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers and more
Why Subscribe?
Free Access for Packt account holders
Preface
What this book covers
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Fundamental SELinux Concepts
Providing more security to Linux
Linux security modules to the rescue
SELinux versus regular DAC
Restricting root privileges
Enabling SELinux ā not just a switch
Everything gets a label
The context fields
SELinux types
SELinux roles
SELinux users
Sensitivity labels
Policies ā the ultimate dictators
SELinux policy store names and options
MLS status
Dealing with unknown permissions
Supporting unconfined domains
User-based access control
Policies across distributions
MCS versus MLS
Policy binaries
SELinux policy modules
Summary
2. Understanding SELinux Decisions and Logging
Disabling SELinux
SELinux on, SELinux off
Switching to permissive (or enforcing) temporarily
Using kernel boot parameters
Disabling SELinux protections for a single service
Applications that "speak" SELinux
SELinux logging and auditing
Configuring SELinux' log destination
Reading SELinux denials
Uncovering more denials
Getting help with denials
setroubleshoot to the rescue
Using audit2why
Using common sense
Summary
3. Managing User Logins
So, who am I?
The rationale behind unconfined
SELinux users and roles
We all are one SELinux user
Creating additional users
Limiting access based on confidentiality
Jumping from one role to another
Full role switching with newrole
Managing role access with sudo
Switching to the system role
The runcon user application
Getting in the right context
Context switching during authentication
Application-based contexts
Summary
4. Process Domains and File-level Access Controls
Reading and changing file contexts
Getting context information
Working with context expressions
Setting context information
Using customizable types
Inheriting the context
Placing categories on files and directories
The context of a process
Transitioning towards a domain
Other supported transitions
Working with mod_selinux
Dealing with types, permissions, and constraints
Type attributes
Querying domain permissions
Understanding constraints
Summary
5. Controlling Network Communications
TCP and UDP support
Labeling ports
Integrating with Linux netfilter
Packet labeling through netfilter
Assigning labels to packets
Differentiating between server and client communication
Introducing labeled networking
Common labeling approach
Limiting flows based on the network interface
Accepting communication from selected hosts
Verifying peer-to-peer flow
Example ā labeled IPSec
Setting up regular IPSec
Enabling labeled IPSec
About NetLabel/CIPSO
Summary
6. Working with SELinux Policies
Manipulating SELinux policies
Overview of SELinux Booleans
Changing Boolean values
Inspecting the impact of Boolean
Enhancing SELinux policies
Handling SELinux policy modules
Troubleshooting using audit2allow
Using refpolicy macros
Using selocal
Creating our own modules
Building native modules
Building reference policy modules
Creating roles and user domains
The pgsql_admin role and user
Creating the user rights
Shell access
Creating new application domains
An example application domain
Creating interfaces
Other uses of policy enhancements
Creating customized SECMARK types
Using different interfaces and nodes
Auditing access attempts
Creating customizable types
Summary
Index
SELinux System Administration
Copyright Ā© 2013 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: September 2013
Production Reference: 1170913
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78328-317-0
www.packtpub.com
Cover Image by Jarek Blaminsky (
<[email protected]>)Credits
Author
Sven Vermeulen
Reviewers
Thomas Fischer
Dominick Grift
Acquisition Editor
Kartikey Pandey
Commissioning Editor
Neha Nagwekar
Technical Editor
Krishnaveni Haridas
Project Coordinator
Suraj Bist
Proofreaders
Ameesha Green
Maria Gould
Simran Bhogal
Indexer
Priya Subramani
Graphics
Abhinash Sahu
Production Coordinator
Nitesh Thakur
Cover Work
Nitesh Thakur
About the Author
Sven Vermeulen is a long term contributor to various free software projects and the author of various online guides and resources. He got his first taste of free software in 1997 and never looked back since then. In 2003, he joined the ranks of the Gentoo Linux project as a documentation developer and has crossed several roles after that, including Gentoo Foundationās trustee, council member, project leads for documentation, and (his current role) project lead for Gentoo Hardenedās SELinux integration.
In this time frame, he has gained expertise in several technologies, ranging fr...