Index
A
- accesses
- auditing / Auditing access attempts
- allow statement / Auditing access attempts
- application-based contexts / Application-based contexts
- application domain
- creating / Creating new application domains
- example / An example application domain
- interfaces, creating / Creating interfaces
- applications
- running, in SELinux / Applications that "speak" SELinux
- audispd application / setroubleshoot to the rescue
- audit2allow
- used, for troubleshooting / Troubleshooting using audit2allow
- audit2allow application / Troubleshooting using audit2allow
- audit2why
- using / Using audit2why
- audit2why utility / Using audit2why
- auditallow statement / Auditing access attempts
- ausearch command / Reading SELinux denials
- authentication
- context switching, using / Context switching during authentication
- AVC
- about / SELinux logging and auditing
- AVC value / SELinux logging and auditing
B
- -b option / Inspecting the impact of Boolean
- Boolean impact
- inspecting / Inspecting the impact of Boolean
- boolean option / Overview of SELinux Booleans
- boolean value / Changing Boolean values
- Boolean values
- changing / Changing Boolean values
- bounded domain / Working with mod_selinux
C
- <class> field / Querying domain permissions
- categories
- placing, on files / Placing categories on files and directories
- placing, on directories / Placing categories on files and directories
- chcat tool / Limiting access based on confidentiality, Placing categories on files and directories
- chcat utility / Limiting access based on confidentiality
- chcon / Creating customizable types
- chcon tool / Setting context information
- client
- and server, differentiating between / Differentiating between server and client communication
- common sense
- using / Using common sense
- communication
- accepting, from selected hosts / Accepting communication from selected hosts
- confidentiality
- access, limiting on / Limiting access based on confidentiality
- constraints
- about / Understanding constraints
- context
- inheriting / Inheriting the context
- context expressions
- working with / Working with context expressions
- context fields
- SELinux types / SELinux types
- SELinux roles / SELinux roles
- SELinux users / SELinux users
- Sensitivity labels / Sensitivity labels
- context information
- obtaining / Getting context information
- setting / Setting context information
- context switching
- used, during authentication / Context switching during authentication
- ctx option / Enabling labeled IPSec
- customizable type
- creating / Creating customizable types
- customizable types
- using / Using customizable types
D
- --disable_dontaudit argument / Uncovering more denials
- DAC
- about / Providing more security to Linux
- daemon attribute / Type attributes
- DBMS
- about / Providing more security to Linux
- directories
- categories, placing on / Placing categories on files and directories
- DLNA
- about / Disabling SELinux protections for a single service
- dnsmasq process / Reading SELinux denials
- DOI
- about / About NetLabel/CIPSO
- dokuwiki directory / Getting context information
- domain permissions
- querying / Querying domain permissions
- domain transitions
- about / Transitioning towards a domain
- domain_use_interactive_fds() / Using selocal
- dontaudit statement / Uncovering more denials
- dynamic transitions / Other supported transitions
E
- enforcing=0 / Using kernel boot parameters
- enforcing=1 / Using kernel boot parameters
- enforcing mode / Disabling SELinux, Switching to permissive (or enforcing) temporarily, Using kernel boot parameters, Applications that "speak" SELinux, Reading SELinux denials
- enforcing state / Disabling SELinux
F
- files
- categories, placing on / Placing categories on files and directories
G
- getenforce command / Disabling SELinux
- getfacl command / SELinux versus regular DAC
- getfattr application / Getting context information
- getsebool application / Overview of SELinux Booleans
- getseuser command / Application-based contexts
- granted statement / Auditing access attempts
H
- hosts
- communication, accepting from / Accepting communication from selected hosts
- httpd binary / Everything gets a label
- httpd_can_sendmail / Manipulating SELinux policies
- httpd_t / The context fields
I
- id command / Everything gets a label
- init command / Disabling SELinux
- initrc_domain attribute / Type attributes
- initrc_t type / Type attributes
- init script / Reading SELinux denials
- inode number / Reading SELinux denials
- interfaces
- using / Using different interfaces and nodes
- intranet_packet_t type / Creating customized SECMARK types
- invalid_packet_t type / Creating customized SECMARK types
- IPSec
- setting up / Setting up regular IPSec
K
- kernel boot parameters
- using / Using kernel boot parameters
L
- labeled IPSec
- example / Example – labeled IPSec
- enabling / Enabling labeled IPSec
- labeled networking
- about / Introducing labeled networking
- flows, limiting on network interface / Limiting flows based on the network interface
- communication, accepting from selected hosts / Accepting communication from selected hosts
- peer to peer flow, verifying / Verifying peer-to-peer flow
- libselinux library / Applications that "speak" SELinux
- Linux
- securing / Providing more security to Linux
- Linux DAC
- versus SELinux / SELinux versus regular DAC
- Linux NetFilter
- integrating with / Integrating with Linux netfilter
- LSM
- about / Linux security modules to the rescue
M
- MAC (Mandatory Access Control) / Providing more security to Linux
- Makefile command / Building reference policy modules
- matchpathcon utility / Using common sense
- MCS
- versus MLS / MCS versus MLS
- MLS
- versus MCS / MCS versus MLS
- MLS status / MLS status
- modules
- creating / Creating our own modules
- native modules, building / Building native modules
- reference policy modules, building / Building reference policy modules
- mod_selinux
- working with / Working with mod_selinux
- mount option / Getting context information
N
- name_bind permission / Labeling ports
- name_connect permission / Labeling ports
- native modules
- building / Building native modules
- NetFilter
- packet, labeling through / Packet labeling through netfilter
- labels, assigning to packets / Assigning labels to packets
- server and client communication, differentiating between / Differentiating between server and client communication
- NetLabel/CIPSO
- about / About NetLabel/CIPSO
- netpeer
- about / Common labeling approach
- network interface
- flows, limiting on / Limiting flows based on the network interface
- newrole
- role, switching with / Full role switching with newrole
- nodes
- using / Using different interfaces and nodes
O
- openssh package / Setting context information
P
- (permissions) / Reading SELinux denials
- <permissions> field / Querying domain permissions
- packet
- labeling, through NetFilter / Packet labeling through netfilter
- labels, assigning to / Assigning labels to packets
- PAM / Context switching during authentication
- peer to peer flow
- verifying / Verifying peer-to-peer flow
- Permission denied error / Reading SELinux denials
- permissive mode / Disabling SELinux, Switching to permissive (or enforcing) temporarily, Using kernel boot parameters, Applications that "speak" SELinux
- switching to / Switching to permissive (or enforcing) temporarily
- permissive state / Disabling SELinux
- pgsql_admin role / The pgsql_admin role and user
- pgsql_admin user / The pgsql_admin role and user
- ping command / Enabling labeled IPSec
- policy
- MCS versus MLS / MCS versus MLS
- binaries / Policy binaries
- polmatch permission / Enabling labeled IPSec
- privfd / Using selocal
- process class / Transitioning towards a domain
- process ID / Reading SELinux denials
- process name / Reading SELinux denials
R
- -r parameter / We all are one SELinux user
- reference policy
- URL / Policies – the ultimate dictators
- reference policy modules
- building / Building reference policy modules
- refpolicy macros
- using / Using refpolicy macros
- relabel operation / Creating customizable types
- resource class / Reading SELinux denials
- role
- switching, with newrole / Full role switching with newrole
- role access
- managing, with sudo / Managing role access with sudo
- roles
- about / SELinux users and roles
- creating / Creating roles and user domains
- root rights
- configuring / Restricting root privileges
- runcon user application / The runcon user application
- run_init application / Switching to the system role
S
- (SELinux action) / Reading SELinux denials
- -s parameter / We all are one SELinux user
- <source> field / Querying domain permissions
- s0 / The context fields
- sealert application / setroubleshoot to the rescue
- sealert command / setroubleshoot to the rescue
- seapplet / setroubleshoot to the rescue
- SECMARK types
- creating / Creating customized SECMARK types
- security namespace / Getting context information
- sedispatch application / setroubleshoot to the rescue
- seinfo tool / The rationale behind unconfined
- SELinux
- versus Linux DAC / SELinux versus regular DAC
- enabling / Enabling SELinux – not just a switch
- disabling / Disabling SELinux
- applications, running / Applications that "speak" SELinux
- logging / SELinux logging and auditing
- auditing / SELinux logging and auditing
- log events, sending / Configuring SELinux' log destination
- selinux=0 / Using kernel boot parameters
- SELinux Booleans
- about / Overview of SELinux Booleans
- SELinux denials
- reading / Reading SELinux denials
- SELinux development mode / Switching to permissive (or enforcing) temporarily
- selinuxDomainVal directive / Working with mod_selinux
- SELinux policy
- about / Policies – the ultimate dictators
- store names / SELinux policy store names and options
- options / SELinux policy store names and options
- MLS status / MLS status
- unknown permissions, dealing / Dealing with unknown permissions
- unconfined domains, supporting / Supporting unconfined domains
- UBAC / User-based access control
- manipulating / Manipulating SELinux policies
- SELinux Booleans / Overview of SELinux Booleans
- Boolean values, changing / Changing Boolean values
- Boolean impact, inspecting / Inspecting the impact of Boolean
- enhancing / Enhancing SELinux policies
- troubleshooting, audit2allow used / Troubleshooting using audit2allow
- refpolicy macros, using / Using refpolicy macros
- selocal, using / Using selocal
- SELinux policy modules / SELinux policy modules
- handling / Handling SELinux policy modules
- SELinux protections
- disabling, for single service / Disabling SELinux protections for a single service
- SELinux roles / SELinux roles
- about / SELinux roles
- user_r role / SELinux roles
- staff_r role / SELinux roles
- sysadm_r role / SELinux roles
- system_r role / SELinux roles
- unconfined_r role / SELinux roles
- SELINUXTYPE parameter / Policies – the ultimate dictators
- SELinux types / SELinux types
- SELinux user
- about / So, who am I?, SELinux users and roles, We all are one SELinux user
- __default__ / We all are one SELinux user
- system_u / We all are one SELinux user
- additional users, creating / Creating additional users
- access, limiting on confidentiality / Limiting access based on confidentiality
- SELinux users / SELinux users
- SELinux userspace
- URL / Enabling SELinux – not just a switch
- SELINUX variable / Disabling SELinux
- SELINUX_DOMAIN variable / Working with mod_selinux
- selinux_unconfined_type attribute / The rationale behind unconfined
- selocal
- using / Using selocal
- about / Using selocal
- semanage application / Working with context expressions
- semanage command / Disabling SELinux protections for a single service, Overview of SELinux Booleans
- semanage commands / Limiting flows based on the network interface
- semanage fcontext command / An example application domain
- semanage login tool / We all are one SELinux user
- semanage tool / Limiting flows based on the network interface, Accepting communication from selected hosts
- semanage translation command / Limiting access based on confidentiality
- sem class / Querying domain permissions
- semodule application / Uncovering more denials
- semodule command / SELinux policy modules, Uncovering more denials, Handling SELinux policy modules
- Sensitivity labels / Sensitivity labels
- server
- and client, differentiating between / Differentiating between server and client communication
- sesearch application / Inspecting the impact of Boolean
- sesearch command / Querying domain permissions
- sestatus command / Disabling SELinux
- setenforce command / Switching to permissive (or enforcing) temporarily, Using kernel boot parameters
- setexeccon() method / Other supported transitions
- setfacl command / SELinux versus regular DAC
- setfattr command / Setting context information
- setfiles application / Setting context information
- setroubleshoot daemon / setroubleshoot to the rescue
- shell access / Shell access
- single service
- SELinux protections, disabling for / Disabling SELinux protections for a single service
- source context / Reading SELinux denials
- spdadd command / Enabling labeled IPSec
- sqlite3 command / Creating customizable types
- staff_r role / SELinux roles
- stat application / Getting context information
- storage_read_tape() method / Using refpolicy macros
- strict policy / Policies across distributions
- sudo
- role access, managing with / Managing role access with sudo
- sysadm_r role / SELinux roles
- systemd unit / Reading SELinux denials
- system role
- switching to / Switching to the system role
- system_r / The context fields
- system_r role / SELinux roles
- system_u / The context fields, We all are one SELinux user
T
- target context / Reading SELinux denials
- target device / Reading SELinux denials
- target name / Reading SELinux denials
- TCP port
- labeling / Labeling ports
- tcp_socket class / TCP and UDP support, Labeling ports
- TCSEC (Trusted Computer System Evaluation Criteria) / Providing more security to Linux
- transition privilege / Transitioning towards a domain
- type attributes / Type attributes
- type identifier / Inheriting the context
U
- UBAC / User-based access control
- UDP port
- labeling / Labeling ports
- udp_socket class / TCP and UDP support
- umount / Auditing access attempts
- unconfined domains
- supporting / Supporting unconfined domains
- unconfined_r role / SELinux roles
- unknown permissions
- dealing with / Dealing with unknown permissions
- USE flag / User-based access control
- user domains
- creating / Creating roles and user domains
- user rights
- creating / Creating the user rights
- users
- creating / Creating additional users
- user_r role / SELinux roles
Z
- -Z switch / Everything gets a label
- zosremote_domtrans interface / Creating interfaces
- zosremote_run interface / Creating interfaces