SELinux System Administration - Third Edition

SELinux System Administration - Third Edition

by Sven Vermeulen
Released December 2020
Publisher(s): Packt Publishing
ISBN: 9781800201477

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Enhance Linux security, application platforms, and virtualization solutions with SELinux 3 to work within your boundaries, your rules, and your policies

Key Features

  • Learn what SELinux is, and how it acts as a mandatory access control system on Linux
  • Apply and tune SELinux enforcement to users, applications, platforms, and virtualization solutions
  • Use real-life examples and custom policies to strengthen the security posture of your systems

Book Description

Linux is a dominant player in many organizations and in the cloud. Securing the Linux environment is extremely important for any organization, and Security-Enhanced Linux (SELinux) acts as an additional layer to Linux system security.

SELinux System Administration covers basic SELinux concepts and shows you how to enhance Linux system protection measures. You will get to grips with SELinux and understand how it is integrated. As you progress, you'll get hands-on experience of tuning and configuring SELinux and integrating it into day-to-day administration tasks such as user management, network management, and application maintenance. Platforms such as Kubernetes, system services like systemd, and virtualization solutions like libvirt and Xen, all of which offer SELinux-specific controls, will be explained effectively so that you understand how to apply and configure SELinux within these applications. If applications do not exert the expected behavior, you'll learn how to fine-tune policies to securely host these applications. In case no policies exist, the book will guide you through developing custom policies on your own.

By the end of this Linux book, you'll be able to harden any Linux system using SELinux to suit your needs and fine-tune existing policies and develop custom ones to protect any app and service running on your Linux systems.

What you will learn

  • Understand what SELinux is and how it is integrated into Linux
  • Tune Linux security using policies and their configurable settings
  • Manage Linux users with least-privilege roles and access controls
  • Use SELinux controls in system services and virtualization solutions
  • Analyze SELinux behavior through log events and policy analysis tools
  • Protect systems against unexpected and malicious behavior
  • Enhance existing policies or develop custom ones

Who this book is for

This Linux sysadmin book is for Linux administrators who want to control the secure state of their systems using SELinux, and for security professionals who have experience in maintaining a Linux system and want to know about SELinux. Experience in maintaining Linux systems, covering user management, software installation and maintenance, Linux security controls, and network configuration is required to get the most out of this book.

Table of contents

  1. SELinux System Administration Third Edition
  2. Why subscribe?
  3. Contributors
  4. About the author
  5. About the reviewers
  6. Packt is searching for authors like you
  7. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
  8. Section 1: Using SELinux
  9. Chapter 1: Fundamental SELinux Concepts
    1. Technical requirements
    2. Providing more security for Linux
      1. Introducing Linux Security Modules (LSM)
      2. Extending regular DAC with SELinux
      3. Restricting root privileges
      4. Reducing the impact of vulnerabilities
      5. Enabling SELinux support
    3. Labeling all resources and objects
      1. Dissecting the SELinux context
      2. Enforcing access through types
      3. Granting domain access through roles
      4. Limiting roles through users
      5. Controlling information flow through sensitivities
    4. Defining and distributing policies
      1. Writing SELinux policies
      2. Distributing policies through modules
      3. Bundling modules in a policy store
    5. Distinguishing between policies
      1. Supporting MLS
      2. Dealing with unknown permissions
      3. Supporting unconfined domains
      4. Limiting cross-user sharing
      5. Incrementing policy versions
      6. Different policy content
    6. Summary
    7. Questions
  10. Chapter 2: Understanding SELinux Decisions and Logging
    1. Technical requirements
    2. Switching SELinux on and off
      1. Setting the global SELinux state
      2. Switching to permissive or enforcing mode
      3. Using kernel boot parameters
      4. Disabling SELinux protections for a single service
      5. Understanding SELinux-aware applications
    3. SELinux logging and auditing
      1. Following audit events
      2. Tuning the AVC
      3. Uncovering more logging
      4. Configuring Linux auditing
      5. Configuring the local system logger
      6. Reading SELinux denials
      7. Other SELinux-related event types
      8. Using ausearch
    4. Getting help with denials
      1. Troubleshooting with setroubleshoot
      2. Sending emails when SELinux denials occur
      3. Using audit2why
      4. Interacting with systemd-journal
      5. Using common sense
    5. Summary
    6. Questions
  11. Chapter 3: Managing User Logins
    1. Technical requirements
    2. User-oriented SELinux contexts
    3. SELinux users and roles
      1. Listing SELinux user mappings
      2. Mapping logins to SELinux users
      3. Customizing logins for services
      4. Creating SELinux users
      5. Listing accessible domains
      6. Managing categories
    4. Handling SELinux roles
      1. Defining allowed SELinux contexts
      2. Validating contexts with getseuser
      3. Switching roles with newrole
      4. Managing role access through sudo
      5. Reaching other domains using runcon
      6. Switching to the system role
    5. SELinux and PAM
      1. Assigning contexts through PAM
      2. Prohibiting access during permissive mode
      3. Polyinstantiating directories
    6. Summary
    7. Questions
  12. Chapter 4: Using File Contexts and Process Domains
    1. Technical requirements
    2. Introduction to SELinux file contexts
      1. Getting context information
      2. Interpreting SELinux context types
    3. Keeping or ignoring contexts
      1. Inheriting the default contexts
      2. Querying transition rules
      3. Copying and moving files
      4. Temporarily changing file contexts
      5. Placing categories on files and directories
      6. Using multilevel security on files
      7. Backing up and restoring extended attributes
      8. Using mount options to set SELinux contexts
    4. SELinux file context expressions
      1. Using context expressions
      2. Registering file context changes
      3. Optimizing recursive context operations
      4. Using customizable types
      5. Compiling the different file_contexts files
      6. Exchanging local modifications
    5. Modifying file contexts
      1. Using setfiles, rlpkg, and fixfiles
      2. Relabeling the entire filesystem
      3. Automatically setting context with restorecond
      4. Setting SELinux context at boot with tmpfiles
    6. The context of a process
      1. Getting a process context
      2. Transitioning toward a domain
      3. Verifying a target context
      4. Other supported transitions
      5. Querying initial contexts
      6. Tweaking memory protections
    7. Limiting the scope of transitions
      1. Sanitizing environments on transition
      2. Disabling unconstrained transitions
      3. Using Linux's NO_NEW_PRIVS
    8. Types, permissions, and constraints
      1. Understanding type attributes
      2. Querying domain permissions
      3. Learning about constraints
    9. Summary
    10. Questions
  13. Chapter 5: Controlling Network Communications
    1. Technical requirements
    2. Controlling process communications
      1. Using shared memory
      2. Communicating locally through pipes
      3. Conversing over UNIX domain sockets
      4. Understanding netlink sockets
      5. Dealing with TCP, UDP, and SCTP sockets
      6. Listing connection contexts
    3. Linux firewalling and SECMARK support
      1. Introducing netfilter
      2. Implementing security markings
      3. Assigning labels to packets
      4. Transitioning to nftables
      5. Assessing eBPF
    4. Securing high-speed InfiniBand networks
      1. Directly accessing memory
      2. Protecting InfiniBand networks
      3. Managing the InfiniBand subnet
      4. Controlling access to InfiniBand partitions
    5. Understanding labeled networking
      1. Fallback labeling with NetLabel
      2. Limiting flows based on the network interface
      3. Accepting peer communication from selected hosts
      4. Verifying peer-to-peer flow
      5. Using old-style controls
    6. Using labeled IPsec with SELinux
      1. Setting up regular IPsec
      2. Enabling labeled IPsec
    7. Supporting CIPSO with NetLabel and SELinux
      1. Configuring CIPSO mappings
      2. Adding domain-specific mappings
      3. Using local CIPSO definitions
      4. Supporting IPv6 CALIPSO
    8. Summary
    9. Questions
  14. Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration
    1. Technical requirements
    2. Introducing the target settings and policies
      1. The idempotency of actions
      2. Policy and state management
      3. SELinux configuration settings
      4. Setting file contexts
      5. Recovering from mistakes
      6. Comparing frameworks
    3. Using Ansible for SELinux system administration
      1. How Ansible works
      2. Installing and configuring Ansible
      3. Creating and testing the Ansible role
      4. Assigning SELinux contexts to filesystem resources with Ansible
      5. Loading custom SELinux policies with Ansible
      6. Using Ansible's out-of-the-box SELinux support
    4. Utilizing SaltStack to configure SELinux
      1. How SaltStack works
      2. Installing and configuring SaltStack
      3. Creating and testing our SELinux state with SaltStack
      4. Assigning SELinux contexts to filesystem resources with SaltStack
      5. Loading custom SELinux policies with SaltStack
      6. Using SaltStack's out-of-the-box SELinux support
    5. Automating system management with Puppet
      1. How Puppet works
      2. Installing and configuring Puppet
      3. Creating and testing the SELinux class with Puppet
      4. Assigning SELinux contexts to filesystem resources with Puppet
      5. Loading custom SELinux policies with Puppet
      6. Using Puppet's out-of-the-box SELinux support
    6. Wielding Chef for system automation
      1. How Chef works
      2. Installing and configuring Chef
      3. Creating the SELinux cookbook
      4. Assigning SELinux contexts to filesystem resources with Chef
      5. Loading custom SELinux policies with Chef
      6. Using Chef's out-of-the-box SELinux support
    7. Summary
    8. Questions
  15. Section 2: SELinux-Aware Platforms
  16. Chapter 7: Configuring Application-Specific SELinux Controls
    1. Technical requirements
    2. Tuning systemd services, logging, and device management
      1. Service support in systemd
      2. Logging with systemd
      3. Handling device files
    3. Communicating over D-Bus
      1. Understanding D-Bus
      2. Controlling service acquisition with SELinux
      3. Governing message flows
    4. Configuring PAM services
      1. Cockpit
      2. Cron
      3. OpenSSH
    5. Using mod_selinux with Apache
      1. Introducing mod_selinux
      2. Configuring the general Apache SELinux sensitivity
      3. Mapping end users to specific domains
      4. Changing domains based on source
    6. Summary
    7. Questions
  17. Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux
    1. Technical requirements
    2. Introducing PostgreSQL and sepgsql
      1. Reconfiguring PostgreSQL with sepgsql
      2. Creating a test account
      3. Tuning sepgsql inside PostgreSQL
      4. Troubleshooting sepgsql
    3. Understanding SELinux's database-specific object classes and permissions
      1. Understanding sepgsql permissions
      2. Using the default supported types
      3. Creating trusted procedures
      4. Using sepgsql-specific functions
    4. Using MCS and MLS
      1. Limiting access to columns based on categories
      2. Constraining the user domain for sensitivity range manipulation
    5. Integrating SEPostgreSQL into the network
      1. Creating a fallback label for remote sessions
      2. Tuning the SELinux policy
    6. Summary
    7. Questions
  18. Chapter 9: Secure Virtualization
    1. Technical requirements
    2. Understanding SELinux-secured virtualization
      1. Introducing virtualization
      2. Reviewing the risks of virtualization
      3. Reusing existing virtualization domains
      4. Fine-tuning virtualization-supporting SELinux policy
      5. Understanding sVirt's use of MCS
    3. Enhancing libvirt with SELinux support
      1. Differentiating between shared and dedicated resources
      2. Assessing the libvirt architecture
      3. Configuring libvirt for sVirt
      4. Changing a guest's SELinux labels
      5. Customizing resource labels
      6. Controlling available categories
      7. Changing the storage pool locations
    4. Using Vagrant with libvirt
      1. Deploying Vagrant and the libvirt plugin
      2. Installing a libvirt-compatible box
      3. Configuring Vagrant boxes
    5. Summary
    6. Questions
  19. Chapter 10: Using Xen Security Modules with FLASK
    1. Technical requirements
    2. Understanding Xen and XSM
      1. Introducing the Xen hypervisor
      2. Installing Xen
      3. Creating an unprivileged guest
      4. Understanding Xen Security Modules
    3. Running XSM-enabled Xen
      1. Rebuilding Xen with XSM support
      2. Using XSM labels
      3. Manipulating XSM
    4. Applying custom XSM policies
    5. Summary
    6. Questions
  20. Chapter 11: Enhancing the Security of Containerized Workloads
    1. Technical requirements
    2. Using SELinux with systemd's container support
      1. Initializing a systemd container
      2. Using a specific SELinux context
      3. Facilitating container management with machinectl
    3. Configuring podman
      1. Selecting podman over Docker
      2. Using containers with SELinux
      3. Changing a container's SELinux domain
      4. Creating custom domains with udica
      5. Toggling container_t privileges with SELinux booleans
      6. Tuning the container hosting environment
    4. Leveraging Kubernetes' SELinux support
      1. Configuring Kubernetes with SELinux support
      2. Setting SELinux contexts for pods
    5. Summary
    6. Questions
  21. Section 3: Policy Management
  22. Chapter 12: Tuning SELinux Policies
    1. Technical requirements
    2. Working with SELinux booleans
      1. Listing SELinux booleans
      2. Changing boolean values
      3. Inspecting the impact of a boolean
    3. Handling policy modules
      1. Listing policy modules
      2. Loading and removing policy modules
    4. Replacing and updating existing policies
      1. Creating policies using audit2allow
      2. Using sensible module names
      3. Generating reference policy style modules with audit2allow
      4. Building reference policy - style modules
      5. Building legacy-style modules
      6. Replacing the default distribution policy
    5. Summary
    6. Questions
  23. Chapter 13: Analyzing Policy Behavior
    1. Technical requirements
    2. Performing single-step analysis
      1. Using different SELinux policy files
      2. Displaying policy object information
      3. Understanding sesearch
      4. Querying allow rules
      5. Querying type transition rules
      6. Querying other type rules
      7. Querying role-related rules
      8. Browsing with apol
      9. Using apol workspaces
    3. Investigating domain transitions
      1. Using apol for domain transition analysis
      2. Using sedta for domain transition analysis
      3. Using sepolicy for domain transition analysis
    4. Analyzing information flow
      1. Using apol for information flow analysis
      2. Using seinfoflow for information flow analysis
      3. Using sepolicy communicate for simple information flow analysis
    5. Comparing policies
      1. Using sediff to compare policies
    6. Summary
    7. Questions
  24. Chapter 14: Dealing with New Applications
    1. Technical requirements
    2. Running applications without restrictions
      1. Understanding how unconfined domains work
      2. Making new applications run as an unconfined domain
      3. Extending unconfined domains
      4. Marking domains as permissive
    3. Using sandboxed applications
      1. Understanding the SELinux sandbox
      2. Using the sandbox command
    4. Assigning common policies to new applications
      1. Understanding domain complexity
      2. Running applications in a specific policy
    5. Extending generated policies
      1. Understanding the limitations of generated policies
      2. Introducing sepolicy generate
      3. Generating policies with sepolicy generate
    6. Summary
    7. Questions
  25. Chapter 15: Using the Reference Policy
    1. Technical requirements
    2. Introducing the reference policy
      1. Navigating the policy
      2. Structuring policy modules
    3. Using and understanding the policy macros
      1. Making use of single-class permission groups
      2. Calling permission groups
    4. Creating application-level policies
      1. Constructing network-facing service policies
      2. Addressing user applications
    5. Adding user-level policies
    6. Getting help with supporting tools
      1. Verifying code with selint
      2. Querying the interfaces and macros locally
    7. Summary
    8. Questions
  26. Chapter 16: Developing Policies with SELinux CIL
    1. Technical requirements
    2. Introducing CIL
      1. Translating .pp files to CIL
      2. Understanding CIL syntax
    3. Creating fine-grained definitions
      1. Depending on roles or types
      2. Defining a new port type
      3. Adding constraints to the policy
    4. Building complete application policies
      1. Using namespaces
      2. Extending the policy with attribute assignments
      3. Adding entry point information
      4. Gradually extending the policy further
      5. Introducing permission sets
      6. Adding macros
    5. Summary
    6. Questions
  27. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
    16. Chapter 16
  28. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: SELinux System Administration - Third Edition
  • Author(s): Sven Vermeulen
  • Release date: December 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781800201477