Cover image for SELinux System Administration - Third Edition

SELinux System Administration - Third Edition

Release Date: 2020/12/01
ISBN: 9781800201477
Topic:
0%
25
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Enhance Linux security, application platforms, and virtualization solutions with SELinux 3 to work within your boundaries, your rules, and your policies

Key Features

  • Learn what SELinux is, and how it acts as a mandatory access control system on Linux
  • Apply and tune SELinux enforcement to users, applications, platforms, and virtualization solutions
  • Use real-life examples and custom policies to strengthen the security posture of your systems

Book Description

Linux is a dominant player in many organizations and in the cloud. Securing the Linux environment is extremely important for any organization, and Security-Enhanced Linux (SELinux) acts as an additional layer to Linux system security.

SELinux System Administration covers basic SELinux concepts and shows you how to enhance Linux system protection measures. You will get to grips with SELinux and understand how it is integrated. As you progress, you'll get hands-on experience of tuning and configuring SELinux and integrating it into day-to-day administration tasks such as user management, network management, and application maintenance. Platforms such as Kubernetes, system services like systemd, and virtualization solutions like libvirt and Xen, all of which offer SELinux-specific controls, will be explained effectively so that you understand how to apply and configure SELinux within these applications. If applications do not exert the expected behavior, you'll learn how to fine-tune policies to securely host these applications. In case no policies exist, the book will guide you through developing custom policies on your own.

By the end of this Linux book, you'll be able to harden any Linux system using SELinux to suit your needs and fine-tune existing policies and develop custom ones to protect any app and service running on your Linux systems.

What you will learn

  • Understand what SELinux is and how it is integrated into Linux
  • Tune Linux security using policies and their configurable settings
  • Manage Linux users with least-privilege roles and access controls
  • Use SELinux controls in system services and virtualization solutions
  • Analyze SELinux behavior through log events and policy analysis tools
  • Protect systems against unexpected and malicious behavior
  • Enhance existing policies or develop custom ones

Who this book is for

This Linux sysadmin book is for Linux administrators who want to control the secure state of their systems using SELinux, and for security professionals who have experience in maintaining a Linux system and want to know about SELinux. Experience in maintaining Linux systems, covering user management, software installation and maintenance, Linux security controls, and network configuration is required to get the most out of this book.

Table of Contents

  1. SELinux System Administration Third Edition
  2. Why subscribe?
  3. Contributors
  4. About the author
  5. About the reviewers
  6. Packt is searching for authors like you
  7. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
  8. Section 1: Using SELinux
  9. Chapter 1: Fundamental SELinux Concepts
    1. Technical requirements
    2. Providing more security for Linux
    3. Introducing Linux Security Modules (LSM)
    4. Extending regular DAC with SELinux
    5. Restricting root privileges
    6. Reducing the impact of vulnerabilities
    7. Enabling SELinux support
    8. Labeling all resources and objects
    9. Dissecting the SELinux context
    10. Enforcing access through types
    11. Granting domain access through roles
    12. Limiting roles through users
    13. Controlling information flow through sensitivities
    14. Defining and distributing policies
    15. Writing SELinux policies
    16. Distributing policies through modules
    17. Bundling modules in a policy store
    18. Distinguishing between policies
    19. Supporting MLS
    20. Dealing with unknown permissions
    21. Supporting unconfined domains
    22. Limiting cross-user sharing
    23. Incrementing policy versions
    24. Different policy content
    25. Summary
    26. Questions
  10. Chapter 2: Understanding SELinux Decisions and Logging
    1. Technical requirements
    2. Switching SELinux on and off
    3. Setting the global SELinux state
    4. Switching to permissive or enforcing mode
    5. Using kernel boot parameters
    6. Disabling SELinux protections for a single service
    7. Understanding SELinux-aware applications
    8. SELinux logging and auditing
    9. Following audit events
    10. Tuning the AVC
    11. Uncovering more logging
    12. Configuring Linux auditing
    13. Configuring the local system logger
    14. Reading SELinux denials
    15. Other SELinux-related event types
    16. Using ausearch
    17. Getting help with denials
    18. Troubleshooting with setroubleshoot
    19. Sending emails when SELinux denials occur
    20. Using audit2why
    21. Interacting with systemd-journal
    22. Using common sense
    23. Summary
    24. Questions
  11. Chapter 3: Managing User Logins
    1. Technical requirements
    2. User-oriented SELinux contexts
    3. SELinux users and roles
    4. Listing SELinux user mappings
    5. Mapping logins to SELinux users
    6. Customizing logins for services
    7. Creating SELinux users
    8. Listing accessible domains
    9. Managing categories
    10. Handling SELinux roles
    11. Defining allowed SELinux contexts
    12. Validating contexts with getseuser
    13. Switching roles with newrole
    14. Managing role access through sudo
    15. Reaching other domains using runcon
    16. Switching to the system role
    17. SELinux and PAM
    18. Assigning contexts through PAM
    19. Prohibiting access during permissive mode
    20. Polyinstantiating directories
    21. Summary
    22. Questions
  12. Chapter 4: Using File Contexts and Process Domains
    1. Technical requirements
    2. Introduction to SELinux file contexts
    3. Getting context information
    4. Interpreting SELinux context types
    5. Keeping or ignoring contexts
    6. Inheriting the default contexts
    7. Querying transition rules
    8. Copying and moving files
    9. Temporarily changing file contexts
    10. Placing categories on files and directories
    11. Using multilevel security on files
    12. Backing up and restoring extended attributes
    13. Using mount options to set SELinux contexts
    14. SELinux file context expressions
    15. Using context expressions
    16. Registering file context changes
    17. Optimizing recursive context operations
    18. Using customizable types
    19. Compiling the different file_contexts files
    20. Exchanging local modifications
    21. Modifying file contexts
    22. Using setfiles, rlpkg, and fixfiles
    23. Relabeling the entire filesystem
    24. Automatically setting context with restorecond
    25. Setting SELinux context at boot with tmpfiles
    26. The context of a process
    27. Getting a process context
    28. Transitioning toward a domain
    29. Verifying a target context
    30. Other supported transitions
    31. Querying initial contexts
    32. Tweaking memory protections
    33. Limiting the scope of transitions
    34. Sanitizing environments on transition
    35. Disabling unconstrained transitions
    36. Using Linux's NO_NEW_PRIVS
    37. Types, permissions, and constraints
    38. Understanding type attributes
    39. Querying domain permissions
    40. Learning about constraints
    41. Summary
    42. Questions
  13. Chapter 5: Controlling Network Communications
    1. Technical requirements
    2. Controlling process communications
    3. Using shared memory
    4. Communicating locally through pipes
    5. Conversing over UNIX domain sockets
    6. Understanding netlink sockets
    7. Dealing with TCP, UDP, and SCTP sockets
    8. Listing connection contexts
    9. Linux firewalling and SECMARK support
    10. Introducing netfilter
    11. Implementing security markings
    12. Assigning labels to packets
    13. Transitioning to nftables
    14. Assessing eBPF
    15. Securing high-speed InfiniBand networks
    16. Directly accessing memory
    17. Protecting InfiniBand networks
    18. Managing the InfiniBand subnet
    19. Controlling access to InfiniBand partitions
    20. Understanding labeled networking
    21. Fallback labeling with NetLabel
    22. Limiting flows based on the network interface
    23. Accepting peer communication from selected hosts
    24. Verifying peer-to-peer flow
    25. Using old-style controls
    26. Using labeled IPsec with SELinux
    27. Setting up regular IPsec
    28. Enabling labeled IPsec
    29. Supporting CIPSO with NetLabel and SELinux
    30. Configuring CIPSO mappings
    31. Adding domain-specific mappings
    32. Using local CIPSO definitions
    33. Supporting IPv6 CALIPSO
    34. Summary
    35. Questions
  14. Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration
    1. Technical requirements
    2. Introducing the target settings and policies
    3. The idempotency of actions
    4. Policy and state management
    5. SELinux configuration settings
    6. Setting file contexts
    7. Recovering from mistakes
    8. Comparing frameworks
    9. Using Ansible for SELinux system administration
    10. How Ansible works
    11. Installing and configuring Ansible
    12. Creating and testing the Ansible role
    13. Assigning SELinux contexts to filesystem resources with Ansible
    14. Loading custom SELinux policies with Ansible
    15. Using Ansible's out-of-the-box SELinux support
    16. Utilizing SaltStack to configure SELinux
    17. How SaltStack works
    18. Installing and configuring SaltStack
    19. Creating and testing our SELinux state with SaltStack
    20. Assigning SELinux contexts to filesystem resources with SaltStack
    21. Loading custom SELinux policies with SaltStack
    22. Using SaltStack's out-of-the-box SELinux support
    23. Automating system management with Puppet
    24. How Puppet works
    25. Installing and configuring Puppet
    26. Creating and testing the SELinux class with Puppet
    27. Assigning SELinux contexts to filesystem resources with Puppet
    28. Loading custom SELinux policies with Puppet
    29. Using Puppet's out-of-the-box SELinux support
    30. Wielding Chef for system automation
    31. How Chef works
    32. Installing and configuring Chef
    33. Creating the SELinux cookbook
    34. Assigning SELinux contexts to filesystem resources with Chef
    35. Loading custom SELinux policies with Chef
    36. Using Chef's out-of-the-box SELinux support
    37. Summary
    38. Questions
  15. Section 2: SELinux-Aware Platforms
  16. Chapter 7: Configuring Application-Specific SELinux Controls
    1. Technical requirements
    2. Tuning systemd services, logging, and device management
    3. Service support in systemd
    4. Logging with systemd
    5. Handling device files
    6. Communicating over D-Bus
    7. Understanding D-Bus
    8. Controlling service acquisition with SELinux
    9. Governing message flows
    10. Configuring PAM services
    11. Cockpit
    12. Cron
    13. OpenSSH
    14. Using mod_selinux with Apache
    15. Introducing mod_selinux
    16. Configuring the general Apache SELinux sensitivity
    17. Mapping end users to specific domains
    18. Changing domains based on source
    19. Summary
    20. Questions
  17. Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux
    1. Technical requirements
    2. Introducing PostgreSQL and sepgsql
    3. Reconfiguring PostgreSQL with sepgsql
    4. Creating a test account
    5. Tuning sepgsql inside PostgreSQL
    6. Troubleshooting sepgsql
    7. Understanding SELinux's database-specific object classes and permissions
    8. Understanding sepgsql permissions
    9. Using the default supported types
    10. Creating trusted procedures
    11. Using sepgsql-specific functions
    12. Using MCS and MLS
    13. Limiting access to columns based on categories
    14. Constraining the user domain for sensitivity range manipulation
    15. Integrating SEPostgreSQL into the network
    16. Creating a fallback label for remote sessions
    17. Tuning the SELinux policy
    18. Summary
    19. Questions
  18. Chapter 9: Secure Virtualization
    1. Technical requirements
    2. Understanding SELinux-secured virtualization
    3. Introducing virtualization
    4. Reviewing the risks of virtualization
    5. Reusing existing virtualization domains
    6. Fine-tuning virtualization-supporting SELinux policy
    7. Understanding sVirt's use of MCS
    8. Enhancing libvirt with SELinux support
    9. Differentiating between shared and dedicated resources
    10. Assessing the libvirt architecture
    11. Configuring libvirt for sVirt
    12. Changing a guest's SELinux labels
    13. Customizing resource labels
    14. Controlling available categories
    15. Changing the storage pool locations
    16. Using Vagrant with libvirt
    17. Deploying Vagrant and the libvirt plugin
    18. Installing a libvirt-compatible box
    19. Configuring Vagrant boxes
    20. Summary
    21. Questions
  19. Chapter 10: Using Xen Security Modules with FLASK
    1. Technical requirements
    2. Understanding Xen and XSM
    3. Introducing the Xen hypervisor
    4. Installing Xen
    5. Creating an unprivileged guest
    6. Understanding Xen Security Modules
    7. Running XSM-enabled Xen
    8. Rebuilding Xen with XSM support
    9. Using XSM labels
    10. Manipulating XSM
    11. Applying custom XSM policies
    12. Summary
    13. Questions
  20. Chapter 11: Enhancing the Security of Containerized Workloads
    1. Technical requirements
    2. Using SELinux with systemd's container support
    3. Initializing a systemd container
    4. Using a specific SELinux context
    5. Facilitating container management with machinectl
    6. Configuring podman
    7. Selecting podman over Docker
    8. Using containers with SELinux
    9. Changing a container's SELinux domain
    10. Creating custom domains with udica
    11. Toggling container_t privileges with SELinux booleans
    12. Tuning the container hosting environment
    13. Leveraging Kubernetes' SELinux support
    14. Configuring Kubernetes with SELinux support
    15. Setting SELinux contexts for pods
    16. Summary
    17. Questions
  21. Section 3: Policy Management
  22. Chapter 12: Tuning SELinux Policies
    1. Technical requirements
    2. Working with SELinux booleans
    3. Listing SELinux booleans
    4. Changing boolean values
    5. Inspecting the impact of a boolean
    6. Handling policy modules
    7. Listing policy modules
    8. Loading and removing policy modules
    9. Replacing and updating existing policies
    10. Creating policies using audit2allow
    11. Using sensible module names
    12. Generating reference policy style modules with audit2allow
    13. Building reference policy - style modules
    14. Building legacy-style modules
    15. Replacing the default distribution policy
    16. Summary
    17. Questions
  23. Chapter 13: Analyzing Policy Behavior
    1. Technical requirements
    2. Performing single-step analysis
    3. Using different SELinux policy files
    4. Displaying policy object information
    5. Understanding sesearch
    6. Querying allow rules
    7. Querying type transition rules
    8. Querying other type rules
    9. Querying role-related rules
    10. Browsing with apol
    11. Using apol workspaces
    12. Investigating domain transitions
    13. Using apol for domain transition analysis
    14. Using sedta for domain transition analysis
    15. Using sepolicy for domain transition analysis
    16. Analyzing information flow
    17. Using apol for information flow analysis
    18. Using seinfoflow for information flow analysis
    19. Using sepolicy communicate for simple information flow analysis
    20. Comparing policies
    21. Using sediff to compare policies
    22. Summary
    23. Questions
  24. Chapter 14: Dealing with New Applications
    1. Technical requirements
    2. Running applications without restrictions
    3. Understanding how unconfined domains work
    4. Making new applications run as an unconfined domain
    5. Extending unconfined domains
    6. Marking domains as permissive
    7. Using sandboxed applications
    8. Understanding the SELinux sandbox
    9. Using the sandbox command
    10. Assigning common policies to new applications
    11. Understanding domain complexity
    12. Running applications in a specific policy
    13. Extending generated policies
    14. Understanding the limitations of generated policies
    15. Introducing sepolicy generate
    16. Generating policies with sepolicy generate
    17. Summary
    18. Questions
  25. Chapter 15: Using the Reference Policy
    1. Technical requirements
    2. Introducing the reference policy
    3. Navigating the policy
    4. Structuring policy modules
    5. Using and understanding the policy macros
    6. Making use of single-class permission groups
    7. Calling permission groups
    8. Creating application-level policies
    9. Constructing network-facing service policies
    10. Addressing user applications
    11. Adding user-level policies
    12. Getting help with supporting tools
    13. Verifying code with selint
    14. Querying the interfaces and macros locally
    15. Summary
    16. Questions
  26. Chapter 16: Developing Policies with SELinux CIL
    1. Technical requirements
    2. Introducing CIL
    3. Translating .pp files to CIL
    4. Understanding CIL syntax
    5. Creating fine-grained definitions
    6. Depending on roles or types
    7. Defining a new port type
    8. Adding constraints to the policy
    9. Building complete application policies
    10. Using namespaces
    11. Extending the policy with attribute assignments
    12. Adding entry point information
    13. Gradually extending the policy further
    14. Introducing permission sets
    15. Adding macros
    16. Summary
    17. Questions
  27. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
    16. Chapter 16
  28. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think
3.15.221.67