You are previewing SELinux Cookbook.
O'Reilly logo
SELinux Cookbook

Book Description

Over 70 hands-on recipes to develop fully functional policies to confine your applications and users using SELinux

In Detail

In SELinux Cookbook, we cover everything from how to build SELinux policies to the integration of the technology with other systems and look at a wide range of examples to assist in creating additional policies. The first set of recipes work around file labeling as one of the most common and important SELinux administrative aspects. Then, we move on to custom policy development, showing how this is done for web application confinement, desktop application protection, and custom server policies. Next, we shift our focus to the end user, restricting user privileges and setting up role-based access controls. After that, we redirect our focus to the integration of SELinux with Linux systems, aligning SELinux with existing security controls on a Linux system. Finally, we will learn how applications interact with the SELinux subsystem internally; ensuring that whatever the challenge, we will be able to find the best solution.

What You Will Learn

  • Manage resource labels and fine-tune your policies to automatically handle labeling
  • Gain an insight into how to tune the web server SELinux policy for secure web application hosting
  • Learn how to confine desktop applications through custom-built policies
  • Protect a server's assets by creating your own service-specific SELinux policies
  • Discover how to restrict users without hindering them by installing role-based access control
  • Troubleshoot and debug the behavior of SELinux-enabled applications
  • Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

    Table of Contents

    1. SELinux Cookbook
      1. Table of Contents
      2. SELinux Cookbook
      3. Credits
      4. About the Author
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. The SELinux Development Environment
        1. Introduction
          1. About SELinux
          2. The role of the SELinux policy
          3. The example
        2. Creating the development environment
          1. Getting ready
          2. How to do it…
          3. How it works…
          4. There's more...
          5. See also
        3. Building a simple SELinux module
          1. Getting ready
          2. How to do it…
          3. How it works…
            1. The policy source file
            2. The binary policy module
            3. Loading a policy into the policy store
          4. There's more...
          5. See also
        4. Calling refpolicy interfaces
          1. How to do it…
          2. How it works…
          3. See also
        5. Creating our own interface
          1. How to do it…
          2. How it works…
            1. The location of the interface definitions
            2. The in-line documentation
          3. See also
        6. Using the refpolicy naming convention
          1. Getting ready
          2. How to do it…
          3. How it works…
          4. There's more...
        7. Distributing SELinux policy modules
          1. How to do it…
          2. How it works…
            1. Changes in interfaces
            2. Kernel version changes
            3. MLS or not
      9. 2. Dealing with File Labels
        1. Introduction
        2. Defining file contexts through patterns
          1. How to do it…
          2. How it works…
            1. Path expressions
            2. The order of processing
            3. Class identifiers
            4. Context declaration
          3. There's more...
        3. Using substitution definitions
          1. Getting ready
          2. How to do it…
          3. How it works…
          4. There's more...
          5. See also
        4. Enhancing an SELinux policy with file transitions
          1. Getting ready
          2. How to do it…
          3. How it works…
            1. Finding the right search pattern
            2. Patterns
          4. There's more...
          5. See also
        5. Setting resource-sensitivity labels
          1. How to do it…
          2. How it works…
            1. Full policy replacement
            2. Ranged daemon domain
            3. Constraints
          3. See also
        6. Configuring sensitivity categories
          1. Getting ready
          2. How to do it…
          3. How it works…
            1. The mcstrans and setrans.conf files
            2. SELinux users and Linux user mappings
            3. Running Apache with the right context
          4. See also
      10. 3. Confining Web Applications
        1. Introduction
        2. Listing conditional policy support
          1. How to do it…
          2. How it works...
          3. See also
        3. Enabling user directory support
          1. Getting ready
          2. How to do it…
          3. How it works...
          4. There's more...
          5. See also
        4. Assigning web content types
          1. How to do it…
          2. How it works
          3. There's more...
        5. Using different web server ports
          1. How to do it…
          2. How it works...
          3. There's more...
          4. See also
        6. Using custom content types
          1. Getting ready
          2. How to do it…
          3. How it works...
          4. There's more...
        7. Creating a custom CGI domain
          1. How to do it…
          2. How it works...
        8. Setting up mod_selinux
          1. How to do it…
          2. How it works...
          3. See also
        9. Starting Apache with limited clearance
          1. How to do it…
          2. How it works...
          3. There's more...
        10. Mapping HTTP users to contexts
          1. How to do it…
          2. How it works...
        11. Using source address mapping to decide on contexts
          1. How to do it…
          2. How it works...
          3. There's more...
          4. See also
        12. Separating virtual hosts with mod_selinux
          1. How to do it…
          2. How it works...
          3. See also
      11. 4. Creating a Desktop Application Policy
        1. Introduction
        2. Researching the application's logical design
          1. How to do it…
          2. How it works…
            1. Files and directories
            2. Network resources
            3. Processes
            4. Hardware and kernel resources
        3. Creating a skeleton policy
          1. How to do it…
          2. How it works…
            1. Type declarations
            2. Managing files and directories
            3. X11 and shared memory
            4. The network access
          3. There's more...
          4. See also
        4. Setting context definitions
          1. How to do it…
          2. How it works…
        5. Defining application role interfaces
          1. How to do it…
          2. How it works…
          3. There's more...
        6. Testing and enhancing the policy
          1. How to do it…
          2. How it works…
        7. Ignoring permissions we don't need
          1. How to do it…
          2. How it works…
        8. Creating application resource interfaces
          1. How to do it…
          2. How it works…
        9. Adding conditional policy rules
          1. How to do it…
          2. How it works…
          3. There's more...
        10. Adding build-time policy decisions
          1. How to do it…
          2. How it works…
          3. There's more...
      12. 5. Creating a Server Policy
        1. Introduction
        2. Understanding the service
          1. How to do it…
          2. How it works…
            1. Online research
            2. Sandbox environment
            3. The structural documentation
          3. See also
        3. Choosing resource types wisely
          1. How to do it…
          2. How it works…
            1. Domain definitions
            2. Logical resources
            3. Infrastructural resources
        4. Differentiating policies based on use cases
          1. How to do it…
          2. How it works…
        5. Creating resource-access interfaces
          1. How to do it…
          2. How it works…
        6. Creating exec, run, and transition interfaces
          1. How to do it…
          2. How it works…
          3. See also
        7. Creating a stream-connect interface
          1. How to do it…
            1. For a Unix domain socket with a socket file
            2. For an abstract Unix domain socket
          2. How it works…
        8. Creating the administrative interface
          1. How to do it…
          2. How it works…
          3. See also
      13. 6. Setting Up Separate Roles
        1. Introduction
        2. Managing SELinux users
          1. How to do it…
          2. How it works…
          3. There's more...
        3. Mapping Linux users to SELinux users
          1. How to do it…
          2. How it works…
        4. Running commands in a specified role with sudo
          1. How to do it…
          2. How it works…
          3. See also
        5. Running commands in a specified role with runcon
          1. How to do it…
          2. How it works…
        6. Switching roles
          1. How to do it…
          2. How it works…
        7. Creating a new role
          1. How to do it…
          2. How it works…
            1. Defining a role in the policy
            2. Extending the role privileges
            3. Default types and default contexts
        8. Initial role based on entry
          1. How to do it…
          2. How it works…
        9. Defining role transitions
          1. How to do it…
          2. How it works…
        10. Looking into access privileges
          1. How to do it…
          2. How it works…
            1. Direct access inspection
            2. Policy manipulation
            3. Indirect access
      14. 7. Choosing the Confinement Level
        1. Introduction
        2. Finding common resources
          1. How to do it…
          2. How it works…
            1. Shared file locations
            2. User content and customizable types
          3. There's more...
        3. Defining common helper domains
          1. How to do it…
          2. How it works…
        4. Documenting common privileges
          1. How to do it…
          2. How it works…
        5. Granting privileges to all clients
          1. How to do it…
          2. How it works…
        6. Creating a generic application domain
          1. How to do it…
          2. How it works…
        7. Building application-specific domains using templates
          1. How to do it…
          2. How it works…
        8. Using fine-grained application domain definitions
          1. How to do it…
          2. How it works…
            1. Reducing exploit risks
            2. Role management
            3. Type inheritance and transitions
      15. 8. Debugging SELinux
        1. Introduction
        2. Identifying whether SELinux is to blame
          1. How to do it…
          2. How it works…
          3. See also
        3. Analyzing SELINUX_ERR messages
          1. Getting ready
          2. How to do it…
          3. How it works…
            1. Invalid contexts
            2. Denied transition validation
            3. Denied security-bounded transitions
          4. There's more...
          5. See also
        4. Logging positive policy decisions
          1. How to do it…
          2. How it works…
        5. Looking through SELinux constraints
          1. How to do it…
          2. How it works…
          3. See also
        6. Ensuring an SELinux rule is never allowed
          1. How to do it…
          2. How it works…
        7. Using strace to clarify permission issues
          1. How to do it…
          2. How it works…
        8. Using strace against daemons
          1. How to do it…
          2. How it works…
          3. There's more...
          4. See also
        9. Auditing system behavior
          1. How to do it…
          2. How it works…
          3. There's more...
          4. See also
      16. 9. Aligning SELinux with DAC
        1. Introduction
        2. Assigning a different root location to regular services
          1. Getting ready
          2. How to do it…
          3. How it works…
          4. There's more...
          5. See also
        3. Using a different root location for SELinux-aware applications
          1. How to do it…
          2. How it works…
          3. See also
        4. Sharing user content with file ACLs
          1. How to do it…
          2. How it works…
          3. There's more...
        5. Enabling polyinstantiated directories
          1. How to do it…
          2. How it works…
          3. There's more...
        6. Configuring capabilities instead of setuid binaries
          1. How to do it…
          2. How it works…
          3. See also
        7. Using group membership for role-based access
          1. How to do it…
          2. How it works…
        8. Backing up and restoring files
          1. How to do it…
          2. How it works…
        9. Governing application network access
          1. How to do it…
          2. How it works…
          3. See also
      17. 10. Handling SELinux-aware Applications
        1. Introduction
        2. Controlling D-Bus message flows
          1. Getting ready
          2. How to do it…
          3. How it works…
          4. There's more...
        3. Restricting service ownership
          1. How to do it…
          2. How it works…
          3. There's more...
        4. Understanding udev's SELinux integration
          1. How to do it…
          2. How it works…
        5. Using cron with SELinux
          1. How to do it…
          2. How it works…
          3. There's more…
        6. Checking the SELinux state programmatically
          1. Getting ready
          2. How to do it…
          3. How it works…
          4. There's more...
        7. Querying SELinux userland configuration in C
          1. How to do it…
          2. How it works…
          3. There's more...
        8. Interrogating the SELinux subsystem code-wise
          1. Getting ready
          2. How to do it…
          3. How it works…
          4. There's more...
        9. Running new processes in a new context
          1. Getting ready
          2. How to do it…
          3. How it works…
          4. There's more...
        10. Reading the context of a resource
          1. How to do it…
          2. How it works…
          3. There's more...
      18. Index