book

SELinux Cookbook

by Sven Vermeulen

September 2014

Intermediate to advanced

240 pages

5h 53m

English

Packt Publishing

Read now

Unlock full access

Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
What this book covers

Downloading the example codeErrataPiracyQuestions
IntroductionAbout SELinuxThe role of the SELinux policyThe example
Getting readyHow to do it…How it works…There's more...See also
Getting readyHow to do it…How it works…The policy source fileThe binary policy moduleLoading a policy into the policy storeThere's more...See also
How to do it…How it works…See also
How to do it…How it works…The location of the interface definitionsThe in-line documentationSee also
Getting readyHow to do it…How it works…There's more...
How to do it…How it works…Changes in interfacesKernel version changesMLS or not
Introduction
How to do it…How it works…Path expressionsThe order of processingClass identifiersContext declarationThere's more...
Getting readyHow to do it…How it works…There's more...See also
Getting readyHow to do it…How it works…Finding the right search patternPatternsThere's more...See also
How to do it…How it works…Full policy replacementRanged daemon domainConstraintsSee also
Getting readyHow to do it…How it works…The mcstrans and setrans.conf filesSELinux users and Linux user mappingsRunning Apache with the right contextSee also
Introduction
How to do it…How it works...See also
Getting readyHow to do it…How it works...There's more...See also
How to do it…How it worksThere's more...
How to do it…How it works...There's more...See also
Getting readyHow to do it…How it works...There's more...
How to do it…How it works...
How to do it…How it works...See also
How to do it…How it works...There's more...
How to do it…How it works...
How to do it…How it works...There's more...See also
How to do it…How it works...See also
Introduction
How to do it…How it works…Files and directoriesNetwork resourcesProcessesHardware and kernel resources
How to do it…How it works…Type declarationsManaging files and directoriesX11 and shared memoryThe network accessThere's more...See also
How to do it…How it works…
How to do it…How it works…There's more...
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…There's more...
How to do it…How it works…There's more...
Introduction
How to do it…How it works…Online researchSandbox environmentThe structural documentationSee also
How to do it…How it works…Domain definitionsLogical resourcesInfrastructural resources
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…See also
How to do it…For a Unix domain socket with a socket fileFor an abstract Unix domain socketHow it works…
How to do it…How it works…See also
Introduction
How to do it…How it works…There's more...
How to do it…How it works…
How to do it…How it works…See also
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…Defining a role in the policyExtending the role privilegesDefault types and default contexts
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…Direct access inspectionPolicy manipulationIndirect access
Introduction
How to do it…How it works…Shared file locationsUser content and customizable typesThere's more...
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…Reducing exploit risksRole managementType inheritance and transitions
Introduction
How to do it…How it works…See also
Getting readyHow to do it…How it works…Invalid contextsDenied transition validationDenied security-bounded transitionsThere's more...See also
How to do it…How it works…
How to do it…How it works…See also
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…There's more...See also
How to do it…How it works…There's more...See also
Introduction
Getting readyHow to do it…How it works…There's more...See also
How to do it…How it works…See also
How to do it…How it works…There's more...
How to do it…How it works…There's more...
How to do it…How it works…See also
How to do it…How it works…
How to do it…How it works…
How to do it…How it works…See also
Introduction
Getting readyHow to do it…How it works…There's more...
How to do it…How it works…There's more...
How to do it…How it works…
How to do it…How it works…There's more…
Getting readyHow to do it…How it works…There's more...
How to do it…How it works…There's more...
Getting readyHow to do it…How it works…There's more...
Getting readyHow to do it…How it works…There's more...
How to do it…How it works…There's more...

Content preview from SELinux Cookbook

Enabling polyinstantiated directories

On Linux and Unix systems, the /tmp/ and /var/tmp/ locations are world writable. They are used to provide a common location for temporary files and are protected through the sticky bit so that users cannot remove files they don't own from the directory, even though the directory is world writable.

But despite this measure, there is a history of attacks against the /tmp/ and /var/tmp/ locations, such as race conditions with symbolic links and information leakage through (temporary or not) world or group-readable files generated within.

Polyinstantiated directories provide a neat solution to this problem: users get their own, private /tmp/ and /var/tmp/ instance. These directory instances are created upon login ...