SELinux System Administration
Sven Vermeulen
Language: English
Pages: 120
ISBN: 1783283173
Format: PDF / Kindle (mobi) / ePub
With a command of SELinux you can enjoy watertight security on your Linux servers. This guide shows you how through examples taken from real-life situations, giving you a good grounding in all the available features.
Overview
- Use SELinux to further control network communications
- Enhance your system's security through SELinux access controls
- Set up SELinux roles, users and their sensitivity levels
In Detail
NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure.
SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book.
This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across.
By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.
What you will learn from this book
- Enable and disable features selectively or even enforce them to a granular level
- Interpret SELinux logging to make security-conscious decisions
- Assign new contexts and sensitivity labels to files and other resources
- Work with mod_selinux to secure web applications
- Use tools like sudo, runcon, and newrole to switch roles and run privileged commands in a safe environment
- Use iptables to assign labels to network packets
- Configure IPSec and NetLabel to transport SELinux contexts over the wire
- Build your own SELinux policies using reference policy interfaces
Approach
A step-by-step guide to learn how to set up security on Linux servers by taking SELinux policies into your own hands.
Who this book is written for
Linux administrators will enjoy the various SELinux features that this book covers and the approach used to guide the admin into understanding how SELinux works. The book assumes that you have basic knowledge in Linux administration, especially Linux permission and user management.
Inside Cyber Warfare: Mapping the Cyber Underworld (2nd Edition)
New Directions of Modern Cryptography
Hacking Exposed: Web Applications (3rd Edition)
CCNP Security VPN 642-648 Quick Reference
For a single service Applications that "speak" SELinux 25 25 26 26 27 28 29 Table of Contents SELinux logging and auditing Configuring SELinux' log destination Reading SELinux denials Uncovering more denials Getting help with denials setroubleshoot to the rescue Using audit2why Using common sense 30 30 31 34 35 35 37 37 Summary 38 Chapter 3: Managing User Logins 39 Chapter 4: Process Domains and File-level Access Controls 53 So, who am I? 39 The rationale behind.
Managing User Logins The supported arguments to the pam_selinux code are described in the pam_ selinux manual page. In the preceding example, the close option clears the current context (if any) whereas the open option sets the context of the user. SELinux supports the aspect of selective contexts. The context is based on the process through which the user logs in. A perfect example of this is to differentiate administrators when they log in through the console (where they can be in the.
Class. The option-like statements discussed previously are used in the context list itself (on the filesystem) and is also used when we would set our own context definition. [ 55 ] Process Domains and File-level Access Controls An important property of the context list is how it is prioritized. After all, we could easily have two expressions that both match. Within SELinux, the rule that is the most specific wins. The logic used is as follows (in order): • If line A has a regular expression,.
Allow httpd_t http_port_t : tcp_socket { recv_msg send_msg name_bind } ; From the output, we can imagine that there are also recv_msg and send_msg permissions. Although these are still known in the policy, they are no longer used and expected to disappear in the near future. The only permissions that are checked are the name_bind and name_ connect ones. As an administrator, we can change the label assigned to particular ports. For instance, we can assign the http_port_t label to port 84 using.
Their actual behavior, but it can also be written to be very liberal in what applications are allowed to do. One of the concepts available in many SELinux policies is the idea of unconfined domains. When enabled, it means that certain SELinux domains (process contexts) are allowed to do almost anything they want (of course within the boundaries of the regular Linux DAC permissions which still hold) and only a few selected are truly confined (restricted) in their actions. Unconfined domains have.