book

SELinux

Name: SELinux
Author: Bill McCarty
ISBN: 9780596007164

by Bill McCarty

October 2004

Intermediate to advanced

256 pages

8h 16m

English

O'Reilly Media, Inc.

Read now

Unlock full access

SELinux
Preface
Organization of This Book
Conventions Used in This Book
Keyboard Accelerators
Using Code Examples
How to Contact Us
Acknowledgments
1. Introducing SELinux
Software Threats and the InternetSoftware complexityNetwork connectivityActive content and mobile codePrivilege EscalationThe Patch Cycle and the 0-Day ProblemProtecting Against 0-DaysNetwork and Host DefensesNetwork defensesNetwork firewallsNetwork intrusion detection and prevention systemsHost defensesHost firewalls and intrusion detection systemsLogging and auditingMemory protectionSandboxesAccess-control listsDiscretionary and Mandatory Access ControlDiscretionary access controlMandatory access control
SELinux Features
How SELinux WorksSELinux Components and Linux Security Modules (LSM)
Applications of SELinux
SELinux History

Web and FTP Sites
Mailing Lists
2. Overview of the SELinux Security Model
Subjects and Objects
Security Contexts
Transient and Persistent Objects
Access Decisions
Transition Decisions
SELinux Architecture
Kernel-Level CodeThe SELinux Shared LibraryThe SELinux Security PolicySELinux ToolsSELinux commandsModified Linux commands and programsSupplementary SELinux toolsReferences
3. Installing and Initially Configuring SELinux
SELinux Versions
Installing SELinux
Linux Distributions Supporting SELinux
Fedora Core 2
Installation Overview
Installing SELinux from Binary or Source Packages
Debian GNU/LinuxGentoo LinuxInstalling SELinux to a fresh Gentoo systemInstalling SELinux to an existing Gentoo Linux systemRPM-Based DistributionsRed Hat Enterprise LinuxSUSE Linux
Installing from Source
4. Using and Administering SELinux
System Modes and SELinux Tuning
Controlling SELinux
Switching ModesSetting the initial operating modeDynamically setting the operating modeDisabling SELinux at boot timeLoading the SELinux Security PolicyThe SELinux MakefileThe SELinux policy compiler (checkpolicy)The load_policy utilityLabeling Filesystems and FilesUsing the Makefile to label or relabel filesystemsUsing commands to label or relabel files or filesystemsThe chcon utilityThe fixfiles utilityThe restorecon utilityThe setfiles utilityTuning Fedora Core 2 SELinuxTuning via macrosTuning via policy BooleansSetting Booleans via the /selinux filesystem
Routine SELinux System Use and Administration
Entering a RoleChanging rolesViewing Security ContextsViewing the user security contextViewing a file security contextViewing a process security contextAdding UsersAssociating a user with a nondefault roleHow default roles are assignedSetting user passwordsStarting and Controlling DaemonsStarting non-init daemons and programs
Monitoring SELinux
SELinux Log Message FormatSELinux Logging SubtletiesThe Audit2allow Utility
Troubleshooting SELinux
Boot ProblemsLocal Login ProblemsProgram Execution ProblemsDaemon ProblemsX Problems
5. SELinux Policy and Policy Language Overview
The SELinux Policy
Two Forms of an SELinux Policy
Anatomy of a Simple SELinux Policy Domain
The snort.fc FileThe snort.te FileThe type lineThe allow linesMacro invocations
SELinux Policy Structure
The flask SubdirectoryThe flask/initial_sids fileThe flask/security_classes fileThe flask/access_vectors fileThe macros SubdirectoryThe file_contexts SubdirectoryThe types SubdirectoryThe domains SubdirectoryThe appconfig SubdirectoryThe Policy Source Directory
6. Role-Based Access Control
The SELinux Role-Based Access Control Model
Railroad Diagrams
What Railroad Diagrams DoHow Railroad Diagrams Work
SELinux Policy Syntax
Basic Policy Elements
User Declarations
Role-Based Access Control Declarations
Role Type DeclarationsRole Dominance DeclarationsRole Transition DeclarationsRole Allow Declarations
7. Type Enforcement
The SELinux Type-Enforcement Model
Review of SELinux Policy Syntax
Type-Enforcement Declarations
Type DeclarationsType-Alias DeclarationsAttribute DeclarationsTE Access-Vector DeclarationsSpecial notations for types, classes, and permissionsMacros that specify and authorize transitionsTransition DeclarationsBoolean DeclarationsConditional Declarations
Examining a Sample Policy
8. Ancillary Policy Statements
Constraint Declarations
Other Context-Related Declarations
Syntax of Initial SID Context DeclarationsSyntax of Filesystem Labeling DeclarationsSyntax of Genfs DeclarationsSyntax of Network DeclarationsPortcon declarationsNetifcon declarationsNodecon declarations
Flask-Related Declarations
Syntax of security_classesSyntax of initial_sidsSyntax of access_vectors
9. Customizing SELinux Policies
The SELinux Policy Source Tree
On the Topics of Difficulty and Discretion
Using the SELinux Makefile
Creating an SELinux User
Adding a System AdministratorAdding an Ordinary User
Customizing Roles
Adding Permissions
Allowing a User Access to an Existing Domain
Creating a New Domain
Determine What Files Are Related to the DomainDetermine the Security Contexts of the FilesDecide on Appropriate Security Contexts for the New DomainCreate a Basic TE FileCreate a Basic FC FileDelete Conflicting Specifications from Other FC FilesLoad the Revised Policy and Label the DomainsTest and Revise the TE and FC Files as Needed
Using Audit2allow
Policy Management Tools
ApolPolicy componentsPolicy rulesAnalysisSeauditSepcutSeuserx
The Road Ahead
A. Security Object Classes
B. SELinux Operations
C. SELinux Macros Defined in src/policy/macros
D. SELinux General Types
E. SELinux Type Attributes
Index
Colophon

Content preview from SELinux

Role-Based Access Control Declarations

As Figure 6-15 shows, there are four types of RBAC declarations:

role_type_def: Role type declarations
role_dominance: Role dominance declarations
roletrans_def: Role transition declarations
role_allow_def: Role allow declarations

Figure 6-15. RBAC declarations (rbac_decl)

Role Type Declarations

A role type declaration specifies the set of domains for which a role is authorized. They have the form shown in Figure 6-16. The symbol identifier specifies the role and the symbol names specifies the authorized domain or domains.

Figure 6-16. Role type declaration (role_type_def)

Role type declarations typically appear in type enforcement files, where they specify the roles that are authorized to enter the domains defined by the TE files. For instance, the ping.te file contains the following role-type declarations:

role sysadm_r types ping_t;
role system_r types ping_t;

The first declaration authorizes the sysadm_r role to enter the ping_t domain. The second declaration authorizes the system_r role to do likewise.

Role Dominance Declarations

Role dominance declarations can be used to specify a hierarchy among roles. However, existing implementations of SELinux policies do not specify role hierarchies.

Role Transition Declarations

At one time, role transition rules ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Mastering Security-Enhanced Linux (SELinux)

Publisher Resources

ISBN: 0596007167Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business