book

SELinux System Administration, Third Edition - Third Edition

by Sven Vermeulen

December 2020

Intermediate to advanced

458 pages

10h 14m

English

Packt Publishing

Read now

Unlock full access

Why subscribe?ContributorsAbout the authorAbout the reviewersPackt is searching for authors like you
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesCode in ActionDownload the color imagesConventions usedGet in touchReviews
Technical requirementsProviding more security for LinuxIntroducing Linux Security Modules (LSM)Extending regular DAC with SELinuxRestricting root privilegesReducing the impact of vulnerabilitiesEnabling SELinux supportLabeling all resources and objectsDissecting the SELinux contextEnforcing access through typesGranting domain access through rolesLimiting roles through usersControlling information flow through sensitivitiesDefining and distributing policiesWriting SELinux policiesDistributing policies through modulesBundling modules in a policy storeDistinguishing between policiesSupporting MLSDealing with unknown permissionsSupporting unconfined domainsLimiting cross-user sharingIncrementing policy versionsDifferent policy contentSummaryQuestions
Technical requirementsSwitching SELinux on and offSetting the global SELinux stateSwitching to permissive or enforcing modeUsing kernel boot parametersDisabling SELinux protections for a single serviceUnderstanding SELinux-aware applicationsSELinux logging and auditingFollowing audit eventsTuning the AVCUncovering more loggingConfiguring Linux auditingConfiguring the local system loggerReading SELinux denialsOther SELinux-related event typesUsing ausearchGetting help with denialsTroubleshooting with setroubleshootSending emails when SELinux denials occurUsing audit2whyInteracting with systemd-journalUsing common senseSummaryQuestions
Technical requirementsUser-oriented SELinux contextsSELinux users and rolesListing SELinux user mappingsMapping logins to SELinux usersCustomizing logins for servicesCreating SELinux usersListing accessible domainsManaging categoriesHandling SELinux rolesDefining allowed SELinux contextsValidating contexts with getseuserSwitching roles with newroleManaging role access through sudoReaching other domains using runconSwitching to the system roleSELinux and PAMAssigning contexts through PAMProhibiting access during permissive modePolyinstantiating directoriesSummaryQuestions
Technical requirementsIntroduction to SELinux file contextsGetting context informationInterpreting SELinux context typesKeeping or ignoring contextsInheriting the default contextsQuerying transition rulesCopying and moving filesTemporarily changing file contextsPlacing categories on files and directoriesUsing multilevel security on filesBacking up and restoring extended attributesUsing mount options to set SELinux contextsSELinux file context expressionsUsing context expressionsRegistering file context changesOptimizing recursive context operationsUsing customizable typesCompiling the different file_contexts filesExchanging local modificationsModifying file contextsUsing setfiles, rlpkg, and fixfilesRelabeling the entire filesystemAutomatically setting context with restorecondSetting SELinux context at boot with tmpfilesThe context of a processGetting a process contextTransitioning toward a domainVerifying a target contextOther supported transitionsQuerying initial contextsTweaking memory protectionsLimiting the scope of transitionsSanitizing environments on transitionDisabling unconstrained transitionsUsing Linux's NO_NEW_PRIVSTypes, permissions, and constraintsUnderstanding type attributesQuerying domain permissionsLearning about constraintsSummaryQuestions
Technical requirementsControlling process communicationsUsing shared memoryCommunicating locally through pipesConversing over UNIX domain socketsUnderstanding netlink socketsDealing with TCP, UDP, and SCTP socketsListing connection contextsLinux firewalling and SECMARK supportIntroducing netfilterImplementing security markingsAssigning labels to packetsTransitioning to nftablesAssessing eBPFSecuring high-speed InfiniBand networksDirectly accessing memoryProtecting InfiniBand networksManaging the InfiniBand subnetControlling access to InfiniBand partitionsUnderstanding labeled networkingFallback labeling with NetLabelLimiting flows based on the network interfaceAccepting peer communication from selected hostsVerifying peer-to-peer flowUsing old-style controlsUsing labeled IPsec with SELinuxSetting up regular IPsecEnabling labeled IPsecSupporting CIPSO with NetLabel and SELinuxConfiguring CIPSO mappingsAdding domain-specific mappingsUsing local CIPSO definitionsSupporting IPv6 CALIPSOSummaryQuestions
Technical requirementsIntroducing the target settings and policiesThe idempotency of actionsPolicy and state managementSELinux configuration settingsSetting file contextsRecovering from mistakesComparing frameworksUsing Ansible for SELinux system administrationHow Ansible worksInstalling and configuring AnsibleCreating and testing the Ansible roleAssigning SELinux contexts to filesystem resources with AnsibleLoading custom SELinux policies with AnsibleUsing Ansible's out-of-the-box SELinux supportUtilizing SaltStack to configure SELinuxHow SaltStack worksInstalling and configuring SaltStackCreating and testing our SELinux state with SaltStackAssigning SELinux contexts to filesystem resources with SaltStackLoading custom SELinux policies with SaltStackUsing SaltStack's out-of-the-box SELinux supportAutomating system management with PuppetHow Puppet worksInstalling and configuring PuppetCreating and testing the SELinux class with PuppetAssigning SELinux contexts to filesystem resources with PuppetLoading custom SELinux policies with PuppetUsing Puppet's out-of-the-box SELinux supportWielding Chef for system automationHow Chef worksInstalling and configuring ChefCreating the SELinux cookbookAssigning SELinux contexts to filesystem resources with ChefLoading custom SELinux policies with ChefUsing Chef's out-of-the-box SELinux supportSummaryQuestions

Technical requirementsTuning systemd services, logging, and device managementService support in systemdLogging with systemdHandling device filesCommunicating over D-BusUnderstanding D-BusControlling service acquisition with SELinuxGoverning message flowsConfiguring PAM servicesCockpitCronOpenSSHUsing mod_selinux with ApacheIntroducing mod_selinuxConfiguring the general Apache SELinux sensitivityMapping end users to specific domainsChanging domains based on sourceSummaryQuestions
Technical requirementsIntroducing PostgreSQL and sepgsqlReconfiguring PostgreSQL with sepgsqlCreating a test accountTuning sepgsql inside PostgreSQLTroubleshooting sepgsqlUnderstanding SELinux's database-specific object classes and permissionsUnderstanding sepgsql permissionsUsing the default supported typesCreating trusted proceduresUsing sepgsql-specific functionsUsing MCS and MLSLimiting access to columns based on categoriesConstraining the user domain for sensitivity range manipulationIntegrating SEPostgreSQL into the networkCreating a fallback label for remote sessionsTuning the SELinux policySummaryQuestions
Technical requirementsUnderstanding SELinux-secured virtualizationIntroducing virtualizationReviewing the risks of virtualizationReusing existing virtualization domainsFine-tuning virtualization-supporting SELinux policyUnderstanding sVirt's use of MCSEnhancing libvirt with SELinux supportDifferentiating between shared and dedicated resourcesAssessing the libvirt architectureConfiguring libvirt for sVirtChanging a guest's SELinux labelsCustomizing resource labelsControlling available categoriesChanging the storage pool locationsUsing Vagrant with libvirtDeploying Vagrant and the libvirt pluginInstalling a libvirt-compatible boxConfiguring Vagrant boxesSummaryQuestions
Technical requirementsUnderstanding Xen and XSMIntroducing the Xen hypervisorInstalling XenCreating an unprivileged guestUnderstanding Xen Security ModulesRunning XSM-enabled XenRebuilding Xen with XSM supportUsing XSM labelsManipulating XSMApplying custom XSM policiesSummaryQuestions
Technical requirementsUsing SELinux with systemd's container supportInitializing a systemd containerUsing a specific SELinux contextFacilitating container management with machinectlConfiguring podmanSelecting podman over DockerUsing containers with SELinuxChanging a container's SELinux domainCreating custom domains with udicaToggling container_t privileges with SELinux booleansTuning the container hosting environmentLeveraging Kubernetes' SELinux supportConfiguring Kubernetes with SELinux supportSetting SELinux contexts for podsSummaryQuestions
Technical requirementsWorking with SELinux booleansListing SELinux booleansChanging boolean valuesInspecting the impact of a booleanHandling policy modulesListing policy modulesLoading and removing policy modulesReplacing and updating existing policiesCreating policies using audit2allowUsing sensible module namesGenerating reference policy style modules with audit2allowBuilding reference policy - style modulesBuilding legacy-style modulesReplacing the default distribution policySummaryQuestions
Technical requirementsPerforming single-step analysisUsing different SELinux policy filesDisplaying policy object informationUnderstanding sesearchQuerying allow rulesQuerying type transition rulesQuerying other type rulesQuerying role-related rulesBrowsing with apolUsing apol workspacesInvestigating domain transitionsUsing apol for domain transition analysisUsing sedta for domain transition analysisUsing sepolicy for domain transition analysisAnalyzing information flowUsing apol for information flow analysisUsing seinfoflow for information flow analysisUsing sepolicy communicate for simple information flow analysisComparing policiesUsing sediff to compare policiesSummaryQuestions
Technical requirementsRunning applications without restrictionsUnderstanding how unconfined domains workMaking new applications run as an unconfined domainExtending unconfined domainsMarking domains as permissiveUsing sandboxed applicationsUnderstanding the SELinux sandboxUsing the sandbox commandAssigning common policies to new applicationsUnderstanding domain complexityRunning applications in a specific policyExtending generated policiesUnderstanding the limitations of generated policiesIntroducing sepolicy generateGenerating policies with sepolicy generateSummaryQuestions
Technical requirementsIntroducing the reference policyNavigating the policyStructuring policy modulesUsing and understanding the policy macrosMaking use of single-class permission groupsCalling permission groupsCreating application-level policiesConstructing network-facing service policiesAddressing user applicationsAdding user-level policiesGetting help with supporting toolsVerifying code with selintQuerying the interfaces and macros locallySummaryQuestions
Technical requirementsIntroducing CILTranslating .pp files to CILUnderstanding CIL syntaxCreating fine-grained definitionsDepending on roles or typesDefining a new port typeAdding constraints to the policyBuilding complete application policiesUsing namespacesExtending the policy with attribute assignmentsAdding entry point informationGradually extending the policy furtherIntroducing permission setsAdding macrosSummaryQuestions
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14Chapter 15Chapter 16
Leave a review - let other readers know what you think

Content preview from SELinux System Administration, Third Edition - Third Edition

Chapter 11: Enhancing the Security of Containerized Workloads

Container platforms and management frameworks provide application-level abstraction to administrators and developers. Lightweight container frameworks allow for rapid development and deployment of new applications, whereas heavier container platforms allow for optimal resource consumption and highly resilient hosting platforms.

SELinux plays a vital role in many of these frameworks and platforms, ensuring that untrusted containers cannot escape or interact with resources they are not supported to interact with. In this chapter, we look at how SELinux is supported, ranging from systemd-nspawn to podman (and Docker), and finally in larger environments with Kubernetes. We also learn ...