Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
SELinux System Administration

You're reading from   SELinux System Administration With a command of SELinux you can enjoy watertight security on your Linux servers. This guide shows you how through examples taken from real-life situations, giving you a good grounding in all the available features.

Arrow left icon
Product type Paperback
Published in Sep 2013
Publisher Packt
ISBN-13 9781783283170
Length 120 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Sven Vermeulen Sven Vermeulen
Author Profile Icon Sven Vermeulen
Sven Vermeulen
Arrow right icon
View More author details
Toc

Index

A

  • accesses
    • auditing / Auditing access attempts
  • allow statement / Auditing access attempts
  • application-based contexts / Application-based contexts
  • application domain
    • creating / Creating new application domains
    • example / An example application domain
    • interfaces, creating / Creating interfaces
  • applications
    • running, in SELinux / Applications that "speak" SELinux
  • audispd application / setroubleshoot to the rescue
  • audit2allow
    • used, for troubleshooting / Troubleshooting using audit2allow
  • audit2allow application / Troubleshooting using audit2allow
  • audit2why
    • using / Using audit2why
  • audit2why utility / Using audit2why
  • auditallow statement / Auditing access attempts
  • ausearch command / Reading SELinux denials
  • authentication
    • context switching, using / Context switching during authentication
  • AVC
    • about / SELinux logging and auditing
  • AVC value / SELinux logging and auditing

B

  • -b option / Inspecting the impact of Boolean
  • Boolean impact
    • inspecting / Inspecting the impact of Boolean
  • boolean option / Overview of SELinux Booleans
  • boolean value / Changing Boolean values
  • Boolean values
    • changing / Changing Boolean values
  • bounded domain / Working with mod_selinux

C

  • <class> field / Querying domain permissions
  • categories
    • placing, on files / Placing categories on files and directories
    • placing, on directories / Placing categories on files and directories
  • chcat tool / Limiting access based on confidentiality, Placing categories on files and directories
  • chcat utility / Limiting access based on confidentiality
  • chcon / Creating customizable types
  • chcon tool / Setting context information
  • client
    • and server, differentiating between / Differentiating between server and client communication
  • common sense
    • using / Using common sense
  • communication
    • accepting, from selected hosts / Accepting communication from selected hosts
  • confidentiality
    • access, limiting on / Limiting access based on confidentiality
  • constraints
    • about / Understanding constraints
  • context
    • inheriting / Inheriting the context
  • context expressions
    • working with / Working with context expressions
  • context fields
    • SELinux types / SELinux types
    • SELinux roles / SELinux roles
    • SELinux users / SELinux users
    • Sensitivity labels / Sensitivity labels
  • context information
    • obtaining / Getting context information
    • setting / Setting context information
  • context switching
    • used, during authentication / Context switching during authentication
  • ctx option / Enabling labeled IPSec
  • customizable type
    • creating / Creating customizable types
  • customizable types
    • using / Using customizable types

D

  • --disable_dontaudit argument / Uncovering more denials
  • DAC
    • about / Providing more security to Linux
  • daemon attribute / Type attributes
  • DBMS
    • about / Providing more security to Linux
  • directories
    • categories, placing on / Placing categories on files and directories
  • DLNA
    • about / Disabling SELinux protections for a single service
  • dnsmasq process / Reading SELinux denials
  • DOI
    • about / About NetLabel/CIPSO
  • dokuwiki directory / Getting context information
  • domain permissions
    • querying / Querying domain permissions
  • domain transitions
    • about / Transitioning towards a domain
  • domain_use_interactive_fds() / Using selocal
  • dontaudit statement / Uncovering more denials
  • dynamic transitions / Other supported transitions

E

  • enforcing=0 / Using kernel boot parameters
  • enforcing=1 / Using kernel boot parameters
  • enforcing mode / Disabling SELinux, Switching to permissive (or enforcing) temporarily, Using kernel boot parameters, Applications that "speak" SELinux, Reading SELinux denials
  • enforcing state / Disabling SELinux

F

  • files
    • categories, placing on / Placing categories on files and directories

G

  • getenforce command / Disabling SELinux
  • getfacl command / SELinux versus regular DAC
  • getfattr application / Getting context information
  • getsebool application / Overview of SELinux Booleans
  • getseuser command / Application-based contexts
  • granted statement / Auditing access attempts

H

  • hosts
    • communication, accepting from / Accepting communication from selected hosts
  • httpd binary / Everything gets a label
  • httpd_can_sendmail / Manipulating SELinux policies
  • httpd_t / The context fields

I

  • id command / Everything gets a label
  • init command / Disabling SELinux
  • initrc_domain attribute / Type attributes
  • initrc_t type / Type attributes
  • init script / Reading SELinux denials
  • inode number / Reading SELinux denials
  • interfaces
    • using / Using different interfaces and nodes
  • intranet_packet_t type / Creating customized SECMARK types
  • invalid_packet_t type / Creating customized SECMARK types
  • IPSec
    • setting up / Setting up regular IPSec

K

  • kernel boot parameters
    • using / Using kernel boot parameters

L

  • labeled IPSec
    • example / Example – labeled IPSec
    • enabling / Enabling labeled IPSec
  • labeled networking
    • about / Introducing labeled networking
    • flows, limiting on network interface / Limiting flows based on the network interface
    • communication, accepting from selected hosts / Accepting communication from selected hosts
    • peer to peer flow, verifying / Verifying peer-to-peer flow
  • libselinux library / Applications that "speak" SELinux
  • Linux
    • securing / Providing more security to Linux
  • Linux DAC
    • versus SELinux / SELinux versus regular DAC
  • Linux NetFilter
    • integrating with / Integrating with Linux netfilter
  • LSM
    • about / Linux security modules to the rescue

M

  • MAC (Mandatory Access Control) / Providing more security to Linux
  • Makefile command / Building reference policy modules
  • matchpathcon utility / Using common sense
  • MCS
    • versus MLS / MCS versus MLS
  • MLS
    • versus MCS / MCS versus MLS
  • MLS status / MLS status
  • modules
    • creating / Creating our own modules
    • native modules, building / Building native modules
    • reference policy modules, building / Building reference policy modules
  • mod_selinux
    • working with / Working with mod_selinux
  • mount option / Getting context information

N

  • name_bind permission / Labeling ports
  • name_connect permission / Labeling ports
  • native modules
    • building / Building native modules
  • NetFilter
    • packet, labeling through / Packet labeling through netfilter
    • labels, assigning to packets / Assigning labels to packets
    • server and client communication, differentiating between / Differentiating between server and client communication
  • NetLabel/CIPSO
    • about / About NetLabel/CIPSO
  • netpeer
    • about / Common labeling approach
  • network interface
    • flows, limiting on / Limiting flows based on the network interface
  • newrole
    • role, switching with / Full role switching with newrole
  • nodes
    • using / Using different interfaces and nodes

O

  • openssh package / Setting context information

P

  • (permissions) / Reading SELinux denials
  • <permissions> field / Querying domain permissions
  • packet
    • labeling, through NetFilter / Packet labeling through netfilter
    • labels, assigning to / Assigning labels to packets
  • PAM / Context switching during authentication
  • peer to peer flow
    • verifying / Verifying peer-to-peer flow
  • Permission denied error / Reading SELinux denials
  • permissive mode / Disabling SELinux, Switching to permissive (or enforcing) temporarily, Using kernel boot parameters, Applications that "speak" SELinux
    • switching to / Switching to permissive (or enforcing) temporarily
  • permissive state / Disabling SELinux
  • pgsql_admin role / The pgsql_admin role and user
  • pgsql_admin user / The pgsql_admin role and user
  • ping command / Enabling labeled IPSec
  • policy
    • MCS versus MLS / MCS versus MLS
    • binaries / Policy binaries
  • polmatch permission / Enabling labeled IPSec
  • privfd / Using selocal
  • process class / Transitioning towards a domain
  • process ID / Reading SELinux denials
  • process name / Reading SELinux denials

R

  • -r parameter / We all are one SELinux user
  • reference policy
    • URL / Policies – the ultimate dictators
  • reference policy modules
    • building / Building reference policy modules
  • refpolicy macros
    • using / Using refpolicy macros
  • relabel operation / Creating customizable types
  • resource class / Reading SELinux denials
  • role
    • switching, with newrole / Full role switching with newrole
  • role access
    • managing, with sudo / Managing role access with sudo
  • roles
    • about / SELinux users and roles
    • creating / Creating roles and user domains
  • root rights
    • configuring / Restricting root privileges
  • runcon user application / The runcon user application
  • run_init application / Switching to the system role

S

  • (SELinux action) / Reading SELinux denials
  • -s parameter / We all are one SELinux user
  • <source> field / Querying domain permissions
  • s0 / The context fields
  • sealert application / setroubleshoot to the rescue
  • sealert command / setroubleshoot to the rescue
  • seapplet / setroubleshoot to the rescue
  • SECMARK types
    • creating / Creating customized SECMARK types
  • security namespace / Getting context information
  • sedispatch application / setroubleshoot to the rescue
  • seinfo tool / The rationale behind unconfined
  • SELinux
    • versus Linux DAC / SELinux versus regular DAC
    • enabling / Enabling SELinux – not just a switch
    • disabling / Disabling SELinux
    • applications, running / Applications that "speak" SELinux
    • logging / SELinux logging and auditing
    • auditing / SELinux logging and auditing
    • log events, sending / Configuring SELinux' log destination
  • selinux=0 / Using kernel boot parameters
  • SELinux Booleans
    • about / Overview of SELinux Booleans
  • SELinux denials
    • reading / Reading SELinux denials
  • SELinux development mode / Switching to permissive (or enforcing) temporarily
  • selinuxDomainVal directive / Working with mod_selinux
  • SELinux policy
    • about / Policies – the ultimate dictators
    • store names / SELinux policy store names and options
    • options / SELinux policy store names and options
    • MLS status / MLS status
    • unknown permissions, dealing / Dealing with unknown permissions
    • unconfined domains, supporting / Supporting unconfined domains
    • UBAC / User-based access control
    • manipulating / Manipulating SELinux policies
    • SELinux Booleans / Overview of SELinux Booleans
    • Boolean values, changing / Changing Boolean values
    • Boolean impact, inspecting / Inspecting the impact of Boolean
    • enhancing / Enhancing SELinux policies
    • troubleshooting, audit2allow used / Troubleshooting using audit2allow
    • refpolicy macros, using / Using refpolicy macros
    • selocal, using / Using selocal
  • SELinux policy modules / SELinux policy modules
    • handling / Handling SELinux policy modules
  • SELinux protections
    • disabling, for single service / Disabling SELinux protections for a single service
  • SELinux roles / SELinux roles
    • about / SELinux roles
    • user_r role / SELinux roles
    • staff_r role / SELinux roles
    • sysadm_r role / SELinux roles
    • system_r role / SELinux roles
    • unconfined_r role / SELinux roles
  • SELINUXTYPE parameter / Policies – the ultimate dictators
  • SELinux types / SELinux types
  • SELinux user
    • about / So, who am I?, SELinux users and roles, We all are one SELinux user
    • __default__ / We all are one SELinux user
    • system_u / We all are one SELinux user
    • additional users, creating / Creating additional users
    • access, limiting on confidentiality / Limiting access based on confidentiality
  • SELinux users / SELinux users
  • SELinux userspace
    • URL / Enabling SELinux – not just a switch
  • SELINUX variable / Disabling SELinux
  • SELINUX_DOMAIN variable / Working with mod_selinux
  • selinux_unconfined_type attribute / The rationale behind unconfined
  • selocal
    • using / Using selocal
    • about / Using selocal
  • semanage application / Working with context expressions
  • semanage command / Disabling SELinux protections for a single service, Overview of SELinux Booleans
  • semanage commands / Limiting flows based on the network interface
  • semanage fcontext command / An example application domain
  • semanage login tool / We all are one SELinux user
  • semanage tool / Limiting flows based on the network interface, Accepting communication from selected hosts
  • semanage translation command / Limiting access based on confidentiality
  • sem class / Querying domain permissions
  • semodule application / Uncovering more denials
  • semodule command / SELinux policy modules, Uncovering more denials, Handling SELinux policy modules
  • Sensitivity labels / Sensitivity labels
  • server
    • and client, differentiating between / Differentiating between server and client communication
  • sesearch application / Inspecting the impact of Boolean
  • sesearch command / Querying domain permissions
  • sestatus command / Disabling SELinux
  • setenforce command / Switching to permissive (or enforcing) temporarily, Using kernel boot parameters
  • setexeccon() method / Other supported transitions
  • setfacl command / SELinux versus regular DAC
  • setfattr command / Setting context information
  • setfiles application / Setting context information
  • setroubleshoot daemon / setroubleshoot to the rescue
  • shell access / Shell access
  • single service
    • SELinux protections, disabling for / Disabling SELinux protections for a single service
  • source context / Reading SELinux denials
  • spdadd command / Enabling labeled IPSec
  • sqlite3 command / Creating customizable types
  • staff_r role / SELinux roles
  • stat application / Getting context information
  • storage_read_tape() method / Using refpolicy macros
  • strict policy / Policies across distributions
  • sudo
    • role access, managing with / Managing role access with sudo
  • sysadm_r role / SELinux roles
  • systemd unit / Reading SELinux denials
  • system role
    • switching to / Switching to the system role
  • system_r / The context fields
  • system_r role / SELinux roles
  • system_u / The context fields, We all are one SELinux user

T

  • target context / Reading SELinux denials
  • target device / Reading SELinux denials
  • target name / Reading SELinux denials
  • TCP port
    • labeling / Labeling ports
  • tcp_socket class / TCP and UDP support, Labeling ports
  • TCSEC (Trusted Computer System Evaluation Criteria) / Providing more security to Linux
  • transition privilege / Transitioning towards a domain
  • type attributes / Type attributes
  • type identifier / Inheriting the context

U

  • UBAC / User-based access control
  • UDP port
    • labeling / Labeling ports
  • udp_socket class / TCP and UDP support
  • umount / Auditing access attempts
  • unconfined domains
    • supporting / Supporting unconfined domains
  • unconfined_r role / SELinux roles
  • unknown permissions
    • dealing with / Dealing with unknown permissions
  • USE flag / User-based access control
  • user domains
    • creating / Creating roles and user domains
  • user rights
    • creating / Creating the user rights
  • users
    • creating / Creating additional users
  • user_r role / SELinux roles

Z

  • -Z switch / Everything gets a label
  • zosremote_domtrans interface / Creating interfaces
  • zosremote_run interface / Creating interfaces
lock icon The rest of the chapter is locked
arrow left Previous Section
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime
Banner background image