As a security researcher and author of computer books, I work hard to stay abreast of the latest technological developments. So, I’d been tracking Security Enhanced Linux (SELinux) on my technology radar for several years. But, frankly, it didn’t seem to me easy enough, or robust enough, for dependable use by Linux system administrators.
About one year ago, SELinux seemed to grow up suddenly. I now believe that SELinux is the most important computing technology for Linux users that I’ve seen in the last several years. Obviously, others agree that SELinux is important and useful: SELinux has been incorporated into Fedora Core, Gentoo, and SUSE Linux. And by the time this book is in print, it’s expected to be part of Red Hat Enterprise Linux.
Why the sudden popularity? In a nutshell, SELinux promises to change the way Linux users practice computer security from a reactive posture, based on applying patches intended to close published vulnerabilities, to a proactive posture that seeks to prevent even unpublished vulnerabilities from compromising systems. Properly configured and administered Linux systems already hold a well-deserved reputation for resistance to attack. SELinux significantly ups the ante on attackers and intruders by providing Linux system administrators with access to sophisticated security technology of a sort previously available only to administrators of high-security systems running expensive, military-grade operating systems.
Of course, as a good friend of mine—who happens to be an economist—is fond of saying, “There’s no such thing as a free lunch.” Like other security technologies, SELinux must be properly installed, configured, and maintained if it is to be effective. This book will help you understand and intelligently use SELinux. Whether you prefer to use the sample SELinux security policies delivered as part of a Linux distribution or to implement your own customized policies, this book will show you the way.
One thing SELinux: NSA’s Open Source Security Enhanced Linux doesn’t do is explain how to write programs that use the SELinux API. I anticipate that this book will be useful to those who want to write such programs. But SELinux is designed for system administrators, not programmers, and therefore doesn’t assume programming skills or expertise. Consequently, those interested in using the SELinux API will have to supplement the material presented in this book with information obtained from SELinux documentation and other sources.
This book is divided into nine chapters and five appendixes. Here is a brief summary of each chapter’s focus:
Chapter 1, Introducing SELinux, explains why SELinux is valuable and which common security flaws it addresses, including the concept of the 0-day vulnerability.
Chapter 2, Overview of the SELinux Security Model, explains such basic concepts as roles, domains, and transitions. It prepares the reader for SELinux installation.
Chapter 3, Installing and Initially Configuring SELinux, lays out the current state of SELinux support in several GNU/Linux distributions and provides guidance for installation.
Chapter 4, Using and Administering SELinux, is a basic SELinux system guide for system administrators, covering such techniques as user administration.
Chapter 5, SELinux Policy and Policy Language Overview, prepares the reader to write or revise policies, which is necessary when new software is installed on an SELinux system or when policies need to be adjusted to current system use. This chapter discusses the build process, the layout of policy-related files, and general issues such as macros.
Chapter 6, Role-Based Access Control, introduces the syntax of policy files and describes the directives that relate to user roles.
Chapter 7, Type Enforcement, discusses the next major aspect of SELinux policies, type-enforcement files.
Chapter 8, Ancillary Policy Statements, finishes the explanation of policy statements with a description of constraints and other miscellaneous directives.
Chapter 9, Customizing SELinux Policies, pulls together all the material from the book, provides concrete examples of how to adjust SELinux systems to users’ needs, and introduces tools that help monitor the system and view policies.
Five appendixes list the classes, operations, macros, types, and attributes defined by SELinux policy files.
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
