SELinux System Administration

SELinux System Administration
eBook: $19.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 15%!
Print + free eBook + free PacktLib access to the book: $52.98    Print cover: $32.99
save 38%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters
  • Use SELinux to further control network communications
  • Enhance your system's security through SELinux access controls
  • Set up SELinux roles, users and their sensitivity levels

Book Details

Language : English
Paperback : 120 pages [ 235mm x 191mm ]
Release Date : September 2013
ISBN : 1783283173
ISBN 13 : 9781783283170
Author(s) : Sven Vermeulen
Topics and Technologies : All Books, Networking and Servers, Open Source

Table of Contents

Chapter 1: Fundamental SELinux Concepts
Chapter 2: Understanding SELinux Decisions and Logging
Chapter 3: Managing User Logins
Chapter 4: Process Domains and File-level Access Controls
Chapter 5: Controlling Network Communications
Chapter 6: Working with SELinux Policies
  • Chapter 1: Fundamental SELinux Concepts
    • Providing more security to Linux
      • Linux security modules to the rescue
      • SELinux versus regular DAC
        • Restricting root privileges
      • Enabling SELinux – not just a switch
    • Everything gets a label
      • The context fields
        • SELinux types
        • SELinux roles
        • SELinux users
        • Sensitivity labels
    • Policies – the ultimate dictators
      • SELinux policy store names and options
        • MLS status
        • Dealing with unknown permissions
        • Supporting unconfined domains
        • User-based access control
      • Policies across distributions
        • MCS versus MLS
        • Policy binaries
    • Summary
    • Chapter 2: Understanding SELinux Decisions and Logging
      • Disabling SELinux
      • SELinux on, SELinux off
        • Switching to permissive (or enforcing) temporarily
        • Using kernel boot parameters
        • Disabling SELinux protections for a single service
        • Applications that "speak" SELinux
      • SELinux logging and auditing
        • Configuring SELinux' log destination
        • Reading SELinux denials
        • Uncovering more denials
        • Getting help with denials
          • setroubleshoot to the rescue
          • Using audit2why
          • Using common sense
      • Summary
      • Chapter 3: Managing User Logins
        • So, who am I?
          • The rationale behind unconfined
        • SELinux users and roles
          • We all are one SELinux user
          • Creating additional users
          • Limiting access based on confidentiality
        • Jumping from one role to another
          • Full role switching with newrole
          • Managing role access with sudo
          • Switching to the system role
          • The runcon user application
        • Getting in the right context
          • Context switching during authentication
          • Application-based contexts
        • Summary
        • Chapter 4: Process Domains and File-level Access Controls
          • Reading and changing file contexts
            • Getting context information
            • Working with context expressions
            • Setting context information
            • Using customizable types
            • Inheriting the context
            • Placing categories on files and directories
          • The context of a process
            • Transitioning towards a domain
            • Other supported transitions
            • Working with mod_selinux
          • Dealing with types, permissions, and constraints
            • Type attributes
            • Querying domain permissions
            • Understanding constraints
          • Summary
          • Chapter 5: Controlling Network Communications
            • TCP and UDP support
              • Labeling ports
            • Integrating with Linux netfilter
              • Packet labeling through netfilter
              • Assigning labels to packets
              • Differentiating between server and client communication
            • Introducing labeled networking
              • Common labeling approach
                • Limiting flows based on the network interface
                • Accepting communication from selected hosts
                • Verifying peer-to-peer flow
              • Example – labeled IPSec
                • Setting up regular IPSec
                • Enabling labeled IPSec
              • About NetLabel/CIPSO
            • Summary
            • Chapter 6: Working with SELinux Policies
              • Manipulating SELinux policies
                • Overview of SELinux Booleans
                • Changing Boolean values
                • Inspecting the impact of Boolean
              • Enhancing SELinux policies
                • Handling SELinux policy modules
                • Troubleshooting using audit2allow
                • Using refpolicy macros
                • Using selocal
              • Creating our own modules
                • Building native modules
                • Building reference policy modules
              • Creating roles and user domains
                • The pgsql_admin role and user
                  • Creating the user rights
                  • Shell access
              • Creating new application domains
                • An example application domain
                • Creating interfaces
            • Other uses of policy enhancements
              • Creating customized SECMARK types
              • Using different interfaces and nodes
              • Auditing access attempts
              • Creating customizable types
            • Summary

              Sven Vermeulen

              Sven Vermeulen is a long term contributor to various free software projects and the author of various online guides and resources. He got his first taste of free software in 1997 and never looked back since then. In 2003, he joined the ranks of the Gentoo Linux project as a documentation developer and has crossed several roles after that, including Gentoo Foundation’s trustee, council member, project leads for documentation, and (his current role) project lead for Gentoo Hardened’s SELinux integration. In this time frame, he has gained expertise in several technologies, ranging from operating system level knowledge to application servers as he used his interest in security to guide his projects further: security guides using SCAP languages, mandatory access controls through SELinux, authentication with PAM, (application) firewalling, and more. On SELinux, he has contributed several policies to the reference policy project and participates actively in policy development and user space development projects. Sven is an IT infrastructure architect working at a European financial institution. Secured implementation of infrastructure (and the surrounding architectural integration) is of course an important part of this. Prior to this, he graduated with an MSc in Computer Engineering at the University of Ghent and then worked as a web application infrastructure engineer with IBM WebSphere AS. Sven is the main author of Gentoo’s Handbook which covers the installation and configuration of Gentoo Linux on several architectures. He also authored the Linux Sea online publication, which is a gentle introduction to Linux for novice system administrators.
              Sorry, we don't have any reviews for this title yet.

              Submit Errata

              Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.

              Sample chapters

              You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

              Frequently bought together

              SELinux System Administration +    Web Penetration Testing with Kali Linux =
              50% Off
              the second eBook
              Price for both: €28.90

              Buy both these recommended eBooks together and get 50% off the cheapest eBook.

              What you will learn from this book

              • Enable and disable features selectively or even enforce them to a granular level
              • Interpret SELinux logging to make security-conscious decisions
              • Assign new contexts and sensitivity labels to files and other resources
              • Work with mod_selinux to secure web applications
              • Use tools like sudo, runcon, and newrole to switch roles and run privileged commands in a safe environment
              • Use iptables to assign labels to network packets
              • Configure IPSec and NetLabel to transport SELinux contexts over the wire
              • Build your own SELinux policies using reference policy interfaces

              In Detail

              NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure.

              SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book.

              This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across.

              By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.


              A step-by-step guide to learn how to set up security on Linux servers by taking SELinux policies into your own hands.

              Who this book is for

              Linux administrators will enjoy the various SELinux features that this book covers and the approach used to guide the admin into understanding how SELinux works. The book assumes that you have basic knowledge in Linux administration, especially Linux permission and user management.

              Code Download and Errata
              Packt Anytime, Anywhere
              Register Books
              Print Upgrades
              eBook Downloads
              Video Support
              Contact Us
              Awards Voting Nominations Previous Winners
              Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
              Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software