SELinux

Description

This small but information-packed book covers the wide range of knowledge needed to secure your system using this respected extension to Linux. SELinux discusses critical topics, such as SELinux concepts and its security model; installation instructions; system and user administration; understanding, implementing, and developing your own SELinux security policies. With SELinux, a high-security computer is within reach of any system administrator, and this book provides the means.

Full Description

The intensive search for a more secure operating system has often left everyday, production computers far behind their experimental, research cousins. Now SELinux (Security Enhanced Linux) dramatically changes this. This best-known and most respected security-related extension to Linux embodies the key advances of the security field. Better yet, SELinux is available in widespread and popular distributions of the Linux operating system--including for Debian, Fedora, Gentoo, Red Hat Enterprise Linux, and SUSE--all of it free and open source. SELinux emerged from research by the National Security Agency and implements classic strong-security measures such as role-based access controls, mandatory access controls, and fine-grained transitions and privilege escalation following the principle of least privilege. It compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days--when someone gets a toe-hold on a computer through a vulnerability in a local networked application, such as a Web server, and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system. The key, of course, lies in the words "properly administered." A system administrator for SELinux needs a wide range of knowledge, such as the principles behind the system, how to assign different privileges to different groups of users, how to change policies to accommodate new software, and how to log and track what is going on. And this is where SELinux is invaluable. Author Bill McCarty, a security consultant who has briefed numerous government agencies, incorporates his intensive research into SELinux into this small but information-packed book. Topics include:

A readable and concrete explanation of SELinux concepts and the SELinux security model
Installation instructions for numerous distributions
Basic system and user administration
A detailed dissection of the SELinux policy language
Examples and guidelines for altering and adding policies

With SELinux, a high-security computer is within reach of any system administrator. If you want an effective means of securing your Linux system--and who doesn't?--this book provides the means.

Table of Contents

Chapter 1 Introducing SELinux
1. Software Threats and the Internet
2. SELinux Features
3. Applications of SELinux
4. SELinux History
5. Web and FTP Sites
Chapter 2 Overview of the SELinux Security Model
1. Subjects and Objects
2. Security Contexts
3. Transient and Persistent Objects
4. Access Decisions
5. Transition Decisions
6. SELinux Architecture
Chapter 3 Installing and Initially Configuring SELinux
1. SELinux Versions
2. Installing SELinux
3. Linux Distributions Supporting SELinux
4. Installation Overview
5. Installing SELinux from Binary or Source Packages
6. Installing from Source
Chapter 4 Using and Administering SELinux
1. System Modes and SELinux Tuning
2. Controlling SELinux
3. Routine SELinux System Use and Administration
4. Monitoring SELinux
5. Troubleshooting SELinux
Chapter 5 SELinux Policy and Policy Language Overview
1. The SELinux Policy
2. Two Forms of an SELinux Policy
3. Anatomy of a Simple SELinux Policy Domain
4. SELinux Policy Structure
Chapter 6 Role-Based Access Control
1. The SELinux Role-Based Access Control Model
2. Railroad Diagrams
3. SELinux Policy Syntax
4. User Declarations
5. Role-Based Access Control Declarations
Chapter 7 Type Enforcement
1. The SELinux Type-Enforcement Model
2. Review of SELinux Policy Syntax
3. Type-Enforcement Declarations
4. Examining a Sample Policy
Chapter 8 Ancillary Policy Statements
1. Constraint Declarations
2. Other Context-Related Declarations
3. Flask-Related Declarations
Chapter 9 Customizing SELinux Policies
1. The SELinux Policy Source Tree
2. On the Topics of Difficulty and Discretion
3. Using the SELinux Makefile
4. Creating an SELinux User
5. Customizing Roles
6. Adding Permissions
7. Allowing a User Access to an Existing Domain
8. Creating a New Domain
9. Using Audit2allow
10. Policy Management Tools
11. The Road Ahead

Appendix A Security Object Classes
Appendix B SELinux Operations
Appendix C SELinux Macros Defined in src/policy/macros
Appendix D SELinux General Types
Appendix E SELinux Type Attributes
Colophon

Product Details

Title:

SELinux

By:

Bill McCarty

Publisher:

O'Reilly Media

Formats:

Print
Safari Books Online

Print Release:

October 2004

Pages:

256

Print ISBN:

978-0-596-00716-4

| ISBN 10:

0-596-00716-7

Customer Reviews

About the Author

Bill McCarty

Bill McCarty is a Professor of Information Technology at Azusa Pacific University, Azusa, California. Bill is also the author of over fifteen technical books and numerous papers and presentations. He serves as editor of the Honeynet Files department of the journal IEEE Security and Privacy, and directs the Azusa Pacific University Honeynet Research Project, which is affiliated with the Honeynet Project's Honeynet Research Alliance. Bill has briefed members of US organizations such as the CIA, DISA, FBI, NASA, and NSA, and non-US organizations such as the UK's CESG and GHQ, on his honeynet research. He has worked with the FBI to prevent and detect computer crimes.

View Bill McCarty's full profile page.

Colophon

Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects. The image on the cover of SELinux: NSA's Open Source Security Enhanced Linux depicts surveying soldiers. During the second half of the nineteenth century, following the Civil War, the U.S. military dispatched troops to the American West to subdue hostilities between Native Americans and settlers. These intrepid soldiers braved a chaotic environment; they were frequently confronted with shoot-outs, ambushes, and snipers in their struggle to bring order to the American frontier. Among these troops were the Buffalo soldiers, the first peacetime regiments of African-American cavalry in the military. Despite being stationed in extremely dangerous terrain with inferior supplies, the Buffalo soldiers became one of the most distinguished military units in the Old West. To future generations of soldiers, they were models of courage and dedication in the face of adversity. Sanders Kleinfeld was the production editor and copyeditor for SELinux: NSA's Open Source Security Enhanced Linux. Jamie Peppard was the proofreader. Mary Anne Weeks Mayo and Claire Cloutier provided quality control. Caitrin McCullough provided production assistance. Judy Hoer wrote the index.

Emma Colby designed the cover of this book, based on a series design by Hanna Dyer and Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Clay Fernald produced the cover layout with QuarkXPress 4.1 using Adobe's ITC Garamond font.

Melanie Wang designed the interior layout, based on a series design by David Futato. The chapter opening images are from the Dover Pictorial Archive, Marvels of the New West: A Vivid Portrayal of the Stupendous Marvels in the Vast Wonderland West of the Missouri River, by William Thayer (The Henry Bill Publishing Co., 1888); and The Pioneer History of America: A Popular Account of the Heroes and Adventures, by Augustus Lynch Mason, A.M. (The Jones Brothers Publishing Company, 1884). This book was converted by Julie Hawks to FrameMaker 5.5.6 with a format conversion tool created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano and Jessamyn Read using Macromedia FreeHand 9 and Adobe Photoshop 6. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Sanders Kleinfeld.

O'Reilly Books & Videos

NSA's Open Source Security Enhanced Linux

Chapter 1 Introducing SELinux

Software Threats and the Internet

SELinux Features

Applications of SELinux

SELinux History

Web and FTP Sites

Chapter 2 Overview of the SELinux Security Model

Subjects and Objects

Security Contexts

Transient and Persistent Objects

Access Decisions

Transition Decisions

SELinux Architecture

Chapter 3 Installing and Initially Configuring SELinux

SELinux Versions

Installing SELinux

Linux Distributions Supporting SELinux

Installation Overview

Installing SELinux from Binary or Source Packages

Installing from Source

Chapter 4 Using and Administering SELinux

System Modes and SELinux Tuning

Controlling SELinux

Routine SELinux System Use and Administration

Monitoring SELinux

Troubleshooting SELinux

Chapter 5 SELinux Policy and Policy Language Overview

The SELinux Policy

Two Forms of an SELinux Policy

Anatomy of a Simple SELinux Policy Domain

SELinux Policy Structure

Chapter 6 Role-Based Access Control

The SELinux Role-Based Access Control Model

Railroad Diagrams

SELinux Policy Syntax

User Declarations

Role-Based Access Control Declarations

Chapter 7 Type Enforcement

The SELinux Type-Enforcement Model

Review of SELinux Policy Syntax

Type-Enforcement Declarations

Examining a Sample Policy

Chapter 8 Ancillary Policy Statements

Constraint Declarations

Other Context-Related Declarations

Flask-Related Declarations

Chapter 9 Customizing SELinux Policies

The SELinux Policy Source Tree

On the Topics of Difficulty and Discretion

Using the SELinux Makefile

Creating an SELinux User

Customizing Roles

Adding Permissions

Allowing a User Access to an Existing Domain

Creating a New Domain

Using Audit2allow

Policy Management Tools

The Road Ahead

Appendix A Security Object Classes

Appendix B SELinux Operations

Appendix C SELinux Macros Defined in src/policy/macros

Appendix D SELinux General Types

Appendix E SELinux Type Attributes

Colophon

Bill McCarty