book

SELinux Cookbook

by Sven Vermeulen

September 2014

Intermediate to advanced

240 pages

5h 53m

English

Packt Publishing

Read now

Unlock full access

Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
What this book covers

Downloading the example codeErrataPiracyQuestions
IntroductionAbout SELinuxThe role of the SELinux policyThe example
Getting readyHow to do it…How it works…There's more...See also
Getting readyHow to do it…How it works…The policy source fileThe binary policy moduleLoading a policy into the policy storeThere's more...See also
How to do it…How it works…See also
How to do it…How it works…The location of the interface definitionsThe in-line documentationSee also
Getting readyHow to do it…How it works…There's more...
How to do it…How it works…Changes in interfacesKernel version changesMLS or not
Introduction
How to do it…How it works…Path expressionsThe order of processingClass identifiersContext declarationThere's more...
Getting readyHow to do it…How it works…There's more...See also
Getting readyHow to do it…How it works…Finding the right search patternPatternsThere's more...See also
How to do it…How it works…Full policy replacementRanged daemon domainConstraintsSee also
Getting readyHow to do it…How it works…The mcstrans and setrans.conf filesSELinux users and Linux user mappingsRunning Apache with the right contextSee also
Introduction
How to do it…How it works...See also
Getting readyHow to do it…How it works...There's more...See also
How to do it…How it worksThere's more...
How to do it…How it works...There's more...See also
Getting readyHow to do it…How it works...There's more...
How to do it…How it works...
How to do it…How it works...See also
How to do it…How it works...There's more...
How to do it…How it works...
How to do it…How it works...There's more...See also
How to do it…How it works...See also
Introduction
How to do it…How it works…Files and directoriesNetwork resourcesProcessesHardware and kernel resources
How to do it…How it works…Type declarationsManaging files and directoriesX11 and shared memoryThe network accessThere's more...See also
How to do it…How it works…
How to do it…How it works…There's more...
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…There's more...
How to do it…How it works…There's more...
Introduction
How to do it…How it works…Online researchSandbox environmentThe structural documentationSee also
How to do it…How it works…Domain definitionsLogical resourcesInfrastructural resources
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…See also
How to do it…For a Unix domain socket with a socket fileFor an abstract Unix domain socketHow it works…
How to do it…How it works…See also
Introduction
How to do it…How it works…There's more...
How to do it…How it works…
How to do it…How it works…See also
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…Defining a role in the policyExtending the role privilegesDefault types and default contexts
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…Direct access inspectionPolicy manipulationIndirect access
Introduction
How to do it…How it works…Shared file locationsUser content and customizable typesThere's more...
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…Reducing exploit risksRole managementType inheritance and transitions
Introduction
How to do it…How it works…See also
Getting readyHow to do it…How it works…Invalid contextsDenied transition validationDenied security-bounded transitionsThere's more...See also
How to do it…How it works…
How to do it…How it works…See also
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…There's more...See also
How to do it…How it works…There's more...See also
Introduction
Getting readyHow to do it…How it works…There's more...See also
How to do it…How it works…See also
How to do it…How it works…There's more...
How to do it…How it works…There's more...
How to do it…How it works…See also
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…See also
Introduction
Getting readyHow to do it…How it works…There's more...
How to do it…How it works…There's more...
How to do it…How it works…
How to do it…How it works…There's more…
Getting readyHow to do it…How it works…There's more...
How to do it…How it works…There's more...
Getting readyHow to do it…How it works…There's more...
Getting readyHow to do it…How it works…There's more...
How to do it…How it works…There's more...

Content preview from SELinux Cookbook

Using fine-grained application domain definitions

The use of templates earlier in this chapter is a start to support more fine-grained application domain definitions. Instead of running a workload inside the same domain as the main application, specific types are created that are meant to optimize the interaction between one domain and another, ensuring that the permissions granted to a particular domain remain small and manageable.

Using fine-grained application domains goes a step further, having processes of the same application run inside their own specific domains. This is not always possible (not all applications use multiple, distinct processes), but when it is, using fine-grained domains provides an even more secure environment, where each ...