Packt+ | Advance your knowledge in tech

You're reading from SELinux System Administration With a command of SELinux you can enjoy watertight security on your Linux servers. This guide shows you how through examples taken from real-life situations, giving you a good grounding in all the available features.

Product type Paperback

Published in Sep 2013

Publisher Packt

ISBN-13 9781783283170

Length 120 pages

Edition 1st Edition

Tools

SELinux

Concepts

System Administration

Author (1):

Sven Vermeulen

View More author details

Table of Contents (13) Chapters

SELinux System Administration

Credits

About the Author

About the Reviewers

www.PacktPub.com

Preface

1. Fundamental SELinux Concepts FREE CHAPTER

2. Understanding SELinux Decisions and Logging

3. Managing User Logins

4. Process Domains and File-level Access Controls

5. Controlling Network Communications

6. Working with SELinux Policies

Index

A

accesses
- auditing / Auditing access attempts
allow statement / Auditing access attempts
application-based contexts / Application-based contexts
application domain
- creating / Creating new application domains
- example / An example application domain
- interfaces, creating / Creating interfaces
applications
- running, in SELinux / Applications that "speak" SELinux
audispd application / setroubleshoot to the rescue
audit2allow
- used, for troubleshooting / Troubleshooting using audit2allow
audit2allow application / Troubleshooting using audit2allow
audit2why
- using / Using audit2why
audit2why utility / Using audit2why
auditallow statement / Auditing access attempts
ausearch command / Reading SELinux denials
authentication
- context switching, using / Context switching during authentication
AVC
- about / SELinux logging and auditing
AVC value / SELinux logging and auditing

B

-b option / Inspecting the impact of Boolean
Boolean impact
- inspecting / Inspecting the impact of Boolean
boolean option / Overview of SELinux Booleans
boolean value / Changing Boolean values
Boolean values
- changing / Changing Boolean values
bounded domain / Working with mod_selinux

C

<class> field / Querying domain permissions
categories
- placing, on files / Placing categories on files and directories
- placing, on directories / Placing categories on files and directories
chcat tool / Limiting access based on confidentiality, Placing categories on files and directories
chcat utility / Limiting access based on confidentiality
chcon / Creating customizable types
chcon tool / Setting context information
client
- and server, differentiating between / Differentiating between server and client communication
common sense
- using / Using common sense
communication
- accepting, from selected hosts / Accepting communication from selected hosts
confidentiality
- access, limiting on / Limiting access based on confidentiality
constraints
- about / Understanding constraints
context
- inheriting / Inheriting the context
context expressions
- working with / Working with context expressions
context fields
- SELinux types / SELinux types
- SELinux roles / SELinux roles
- SELinux users / SELinux users
- Sensitivity labels / Sensitivity labels
context information
- obtaining / Getting context information
- setting / Setting context information
context switching
- used, during authentication / Context switching during authentication
ctx option / Enabling labeled IPSec
customizable type
- creating / Creating customizable types
customizable types
- using / Using customizable types

D

--disable_dontaudit argument / Uncovering more denials
DAC
- about / Providing more security to Linux
daemon attribute / Type attributes
DBMS
- about / Providing more security to Linux
directories
- categories, placing on / Placing categories on files and directories
DLNA
- about / Disabling SELinux protections for a single service
dnsmasq process / Reading SELinux denials
DOI
- about / About NetLabel/CIPSO
dokuwiki directory / Getting context information
domain permissions
- querying / Querying domain permissions
domain transitions
- about / Transitioning towards a domain
domain_use_interactive_fds() / Using selocal
dontaudit statement / Uncovering more denials
dynamic transitions / Other supported transitions

E

enforcing=0 / Using kernel boot parameters
enforcing=1 / Using kernel boot parameters
enforcing mode / Disabling SELinux, Switching to permissive (or enforcing) temporarily, Using kernel boot parameters, Applications that "speak" SELinux, Reading SELinux denials
enforcing state / Disabling SELinux

F

files
- categories, placing on / Placing categories on files and directories

G

getenforce command / Disabling SELinux
getfacl command / SELinux versus regular DAC
getfattr application / Getting context information
getsebool application / Overview of SELinux Booleans
getseuser command / Application-based contexts
granted statement / Auditing access attempts

H

hosts
- communication, accepting from / Accepting communication from selected hosts
httpd binary / Everything gets a label
httpd_can_sendmail / Manipulating SELinux policies
httpd_t / The context fields

I

id command / Everything gets a label
init command / Disabling SELinux
initrc_domain attribute / Type attributes
initrc_t type / Type attributes
init script / Reading SELinux denials
inode number / Reading SELinux denials
interfaces
- using / Using different interfaces and nodes
intranet_packet_t type / Creating customized SECMARK types
invalid_packet_t type / Creating customized SECMARK types
IPSec
- setting up / Setting up regular IPSec

K

kernel boot parameters
- using / Using kernel boot parameters

L

labeled IPSec
- example / Example – labeled IPSec
- enabling / Enabling labeled IPSec
labeled networking
- about / Introducing labeled networking
- flows, limiting on network interface / Limiting flows based on the network interface
- communication, accepting from selected hosts / Accepting communication from selected hosts
- peer to peer flow, verifying / Verifying peer-to-peer flow
libselinux library / Applications that "speak" SELinux
Linux
- securing / Providing more security to Linux
Linux DAC
- versus SELinux / SELinux versus regular DAC
Linux NetFilter
- integrating with / Integrating with Linux netfilter
LSM
- about / Linux security modules to the rescue

M

MAC (Mandatory Access Control) / Providing more security to Linux
Makefile command / Building reference policy modules
matchpathcon utility / Using common sense
MCS
- versus MLS / MCS versus MLS
MLS
- versus MCS / MCS versus MLS
MLS status / MLS status
modules
- creating / Creating our own modules
- native modules, building / Building native modules
- reference policy modules, building / Building reference policy modules
mod_selinux
- working with / Working with mod_selinux
mount option / Getting context information

N

name_bind permission / Labeling ports
name_connect permission / Labeling ports
native modules
- building / Building native modules
NetFilter
- packet, labeling through / Packet labeling through netfilter
- labels, assigning to packets / Assigning labels to packets
- server and client communication, differentiating between / Differentiating between server and client communication
NetLabel/CIPSO
- about / About NetLabel/CIPSO
netpeer
- about / Common labeling approach
network interface
- flows, limiting on / Limiting flows based on the network interface
newrole
- role, switching with / Full role switching with newrole
nodes
- using / Using different interfaces and nodes

O

openssh package / Setting context information

P

(permissions) / Reading SELinux denials
<permissions> field / Querying domain permissions
packet
- labeling, through NetFilter / Packet labeling through netfilter
- labels, assigning to / Assigning labels to packets
PAM / Context switching during authentication
peer to peer flow
- verifying / Verifying peer-to-peer flow
Permission denied error / Reading SELinux denials
permissive mode / Disabling SELinux, Switching to permissive (or enforcing) temporarily, Using kernel boot parameters, Applications that "speak" SELinux
- switching to / Switching to permissive (or enforcing) temporarily
permissive state / Disabling SELinux
pgsql_admin role / The pgsql_admin role and user
pgsql_admin user / The pgsql_admin role and user
ping command / Enabling labeled IPSec
policy
- MCS versus MLS / MCS versus MLS
- binaries / Policy binaries
polmatch permission / Enabling labeled IPSec
privfd / Using selocal
process class / Transitioning towards a domain
process ID / Reading SELinux denials
process name / Reading SELinux denials

R

-r parameter / We all are one SELinux user
reference policy
- URL / Policies – the ultimate dictators
reference policy modules
- building / Building reference policy modules
refpolicy macros
- using / Using refpolicy macros
relabel operation / Creating customizable types
resource class / Reading SELinux denials
role
- switching, with newrole / Full role switching with newrole
role access
- managing, with sudo / Managing role access with sudo
roles
- about / SELinux users and roles
- creating / Creating roles and user domains
root rights
- configuring / Restricting root privileges
runcon user application / The runcon user application
run_init application / Switching to the system role

S

(SELinux action) / Reading SELinux denials
-s parameter / We all are one SELinux user
<source> field / Querying domain permissions
s0 / The context fields
sealert application / setroubleshoot to the rescue
sealert command / setroubleshoot to the rescue
seapplet / setroubleshoot to the rescue
SECMARK types
- creating / Creating customized SECMARK types
security namespace / Getting context information
sedispatch application / setroubleshoot to the rescue
seinfo tool / The rationale behind unconfined
SELinux
- versus Linux DAC / SELinux versus regular DAC
- enabling / Enabling SELinux – not just a switch
- disabling / Disabling SELinux
- applications, running / Applications that "speak" SELinux
- logging / SELinux logging and auditing
- auditing / SELinux logging and auditing
- log events, sending / Configuring SELinux' log destination
selinux=0 / Using kernel boot parameters
SELinux Booleans
- about / Overview of SELinux Booleans
SELinux denials
- reading / Reading SELinux denials
SELinux development mode / Switching to permissive (or enforcing) temporarily
selinuxDomainVal directive / Working with mod_selinux
SELinux policy
- about / Policies – the ultimate dictators
- store names / SELinux policy store names and options
- options / SELinux policy store names and options
- MLS status / MLS status
- unknown permissions, dealing / Dealing with unknown permissions
- unconfined domains, supporting / Supporting unconfined domains
- UBAC / User-based access control
- manipulating / Manipulating SELinux policies
- SELinux Booleans / Overview of SELinux Booleans
- Boolean values, changing / Changing Boolean values
- Boolean impact, inspecting / Inspecting the impact of Boolean
- enhancing / Enhancing SELinux policies
- troubleshooting, audit2allow used / Troubleshooting using audit2allow
- refpolicy macros, using / Using refpolicy macros
- selocal, using / Using selocal
SELinux policy modules / SELinux policy modules
- handling / Handling SELinux policy modules
SELinux protections
- disabling, for single service / Disabling SELinux protections for a single service
SELinux roles / SELinux roles
- about / SELinux roles
- user_r role / SELinux roles
- staff_r role / SELinux roles
- sysadm_r role / SELinux roles
- system_r role / SELinux roles
- unconfined_r role / SELinux roles
SELINUXTYPE parameter / Policies – the ultimate dictators
SELinux types / SELinux types
SELinux user
- about / So, who am I?, SELinux users and roles, We all are one SELinux user
- __default__ / We all are one SELinux user
- system_u / We all are one SELinux user
- additional users, creating / Creating additional users
- access, limiting on confidentiality / Limiting access based on confidentiality
SELinux users / SELinux users
SELinux userspace
- URL / Enabling SELinux – not just a switch
SELINUX variable / Disabling SELinux
SELINUX_DOMAIN variable / Working with mod_selinux
selinux_unconfined_type attribute / The rationale behind unconfined
selocal
- using / Using selocal
- about / Using selocal
semanage application / Working with context expressions
semanage command / Disabling SELinux protections for a single service, Overview of SELinux Booleans
semanage commands / Limiting flows based on the network interface
semanage fcontext command / An example application domain
semanage login tool / We all are one SELinux user
semanage tool / Limiting flows based on the network interface, Accepting communication from selected hosts
semanage translation command / Limiting access based on confidentiality
sem class / Querying domain permissions
semodule application / Uncovering more denials
semodule command / SELinux policy modules, Uncovering more denials, Handling SELinux policy modules
Sensitivity labels / Sensitivity labels
server
- and client, differentiating between / Differentiating between server and client communication
sesearch application / Inspecting the impact of Boolean
sesearch command / Querying domain permissions
sestatus command / Disabling SELinux
setenforce command / Switching to permissive (or enforcing) temporarily, Using kernel boot parameters
setexeccon() method / Other supported transitions
setfacl command / SELinux versus regular DAC
setfattr command / Setting context information
setfiles application / Setting context information
setroubleshoot daemon / setroubleshoot to the rescue
shell access / Shell access
single service
- SELinux protections, disabling for / Disabling SELinux protections for a single service
source context / Reading SELinux denials
spdadd command / Enabling labeled IPSec
sqlite3 command / Creating customizable types
staff_r role / SELinux roles
stat application / Getting context information
storage_read_tape() method / Using refpolicy macros
strict policy / Policies across distributions
sudo
- role access, managing with / Managing role access with sudo
sysadm_r role / SELinux roles
systemd unit / Reading SELinux denials
system role
- switching to / Switching to the system role
system_r / The context fields
system_r role / SELinux roles
system_u / The context fields, We all are one SELinux user

T

target context / Reading SELinux denials
target device / Reading SELinux denials
target name / Reading SELinux denials
TCP port
- labeling / Labeling ports
tcp_socket class / TCP and UDP support, Labeling ports
TCSEC (Trusted Computer System Evaluation Criteria) / Providing more security to Linux
transition privilege / Transitioning towards a domain
type attributes / Type attributes
type identifier / Inheriting the context