9780131963696

SELinux: Bring World-Class Security to Any Linux Environment! SELinux offers Linux/UNIX integrators, administrators, and developers a state-of-the-art platform for building and maintaining highly secure solutions. Now that SELinux is included in the Linux 2.6 kerneland delivered by default in Fedora Core, Red Hat Enterprise Linux, and other major distributionsitrs"s easier than ever to take advantage of its benefits. SELinux by Example is the first complete, hands-on guide to using SELinux in production environments. AUTHORed by three leading SELinux researchers and developers, it illuminates every facet of working with SELinux, from its architecture and security object model to its policy language. The book thoroughly explains SELinux sample policies including the powerful new Reference Policyshowing how to quickly adapt them to your unique environment. It also contains a comprehensive SELinux policy language reference and covers exciting new features in Fedora Core 5 and the UPComing Red Hat Enterprise Linux version 5. bull; Thoroughly understand SELinuxrs"s access control and security mechanisms bull; Use SELinux to construct secure systems from the ground up bull; Gain fine-grained control over kernel resources bull; Write policy statements for type enforcement, roles, users, and constraints bull; Use optional multilevel security to enforce information classification and manage users with diverse clearances bull; Create conditional policies that can be changed on-the-fly bull; Define, manage, and maintain SELinux security policies bull; Develop and write new SELinux security policy modules bull; Leverage emerging SELinux technologies to gain even greater flexibility bull; Effectively administer any SELinux system

Frank Mayer is cofounder and Chief Technology Officer of Tresys Technology, and has 23 years of experience in the design, development, and analysis of secure operating systems. He has been an active contributor to SELinux for six years, and has initiated and participated in the development of many new SELinux innovations and tools. He also chairs the annual SELinux Symposium. Frank has published many papers on secure and trustworthy operating systems, and has also explored security in parallel computing, networks, and enterprise applications.

Karl MacMillan is an active contributor in the SELinux community and has led the development of many important SELinux features. He is also a sought after speaker and consultant, and has helped many individuals and organizations understand and apply strong computer security with SELinux. Previous to his work on SELinux, Karl made important contributions in the fields of pattern recognition and evolutionary computing as applied to document and audio recognition, where he has numerous published papers.

David Caplan is a senior security engineer at Tresys Technology with over 20 years of experience in computer security and a wide range of other programming- and software-related areas. He has worked with SELinux for six years as a contributor to many of the SELinux-related open source projects and has led multiple efforts in analyzing and constructing SELinux policy for a variety of systems.

Part I SELinux Overview

1

(56)

Background

3

(12)

The Inevitability of Software Failure

4

(1)

The Evolution of Access Control Security in Operating Systems

5

(8)

The Reference Monitor Concept

6

(1)

The Problem with Discretionary Access Control

7

(1)

The Origins of Mandatory Access Control

8

(2)

A Better Form of Mandatory Access Control

10

(1)

The Evolution of SELinux

11

(2)

Summary

13

(2)

Exercises

13

(2)

Concepts

15

(24)

Security Contexts for Type Enforcement

16

(3)

Comparing SELinux with Standard Linux

17

(1)

More on Security Contexts

18

(1)

Type Enforcement Access Control

19

(10)

Type Enforcement by Example

21

(1)

The Problem of Domain Transitions

22

(1)

Review of SetUID Programs in Standard Linux Security

23

(2)

Domain Transitions

25

(3)

Default Domain Transitions: type_transition Statement

28

(1)

The Role of Roles

29

(2)

Multilevel Security in SELinux

31

(1)

SELinux Features Familiarization

32

(4)

Revisiting the Passwd Example

33

(1)

Perusing the Policy File

34

(2)

Summary

36

(3)

Exercises

37

(2)

Architecture

39

(18)

The Kernel Architecture

40

(3)

LSM Framework

40

(2)

SELinux LSM Module

42

(1)

Userspace Object Managers

43

(4)

Kernel Support for Userspace Object Managers

44

(1)

Policy Server Architecture

45

(2)

SELinux Policy Language

47

(6)

The Native SELinux Policy Language Compiler

48

(2)

Source Policy Modules in a Monolithic Policy

50

(1)

Loadable Policy Modules

50

(1)

Building and Installing Monolithic Policies

51

(2)

Summary

53

(4)

Exercises

54

(3)

Part II SELinux Policy Language

57

(180)

Object Classes and Permissions

59

(30)

Purpose of Object Classes in SELinux

60

(1)

Defining Object Classes in SELinux Policy

61

(6)

Declaring Object Classes

62

(1)

Declaring and Associating Object Class Permissions

63

(4)

Available Object Classes

67

(6)

File-Related Object Classes

67

(2)

Network-Related Object Classes

69

(3)

System V IPC Object Classes

72

(1)

Miscellaneous Object Classes

73

(1)

Object Class Permission Examples

73

(11)

File Object Class Permissions

74

(4)

Process Object Class Permissions

78

(6)

Exploring Object Classes with Apol

84

(2)

Summary

86

(3)

Exercises

87

(2)

Type Enforcement

89

(40)

Type Enforcement

90

(1)

Types, Attributes, and Aliases

91

(9)

Declaring Types

92

(1)

Types and Attributes

93

(1)

Associating Types and Attributes

94

(4)

Aliases

98

(2)

Access Vector Rules

100

(15)

Common AV Rule Syntax

100

(8)

Allow Rules

108

(1)

Audit Rules

109

(2)

Neverallow Rules

111

(4)

Type Rules

115

(7)

Common Type Rule Syntax

115

(2)

Type Transition Rules

117

(4)

Type Change Rules

121

(1)

Exploring Type Enforcement Rules with Apol

122

(5)

Summary

127

(2)

Exercises

128

(1)

Roles and Users

129

(20)

Role-Based Access Control in SELinux

130

(5)

Overview of RBAC in SELinux

130

(2)

Managing User Privileges with Roles

132

(3)

Users and Roles in Object Security Contexts

135

(1)

Roles and Role Statements

135

(5)

Role Declaration Statement

135

(2)

Role Allow Rules

137

(1)

Role Transition Rules

138

(1)

Role Dominance Statement

138

(2)

Users and User Statements

140

(4)

Declaring Users and Associating Roles

141

(1)

Mapping Linux Users to SELinux Users

142

(2)

Exploring Roles and Users with Apol

144

(2)

Summary

146

(3)

Exercises

147

(2)

Constraints

149

(14)

A Closer Look at the Access Decision Algorithm

150

(2)

Constrain Statement

152

(5)

Label Transition Constraints

157

(4)

Summary

161

(2)

Exercises

161

(2)

Multilevel Security

163

(20)

Multilevel Security Constraints

164

(1)

Security Contexts with MLS

165

(5)

Defining Security Levels

165

(4)

MLS Extensions to Security Contexts

169

(1)

MLS Constraints

170

(9)

mlsconstrain Statement

170

(5)

mlsvalidatetrans Statement

175

(4)

Other Impacts of MLS

179

(1)

Summary

180

(3)

Exercises

181

(2)

Conditional Policies

183

(22)

Overview of Conditional Policies

184

(1)

Boolean Variables

185

(6)

Defining Boolean Variables

185

(1)

Managing Booleans in a Running System

186

(3)

Persistent Changes to Boolean Values

189

(2)

Conditional Statements

191

(7)

Conditional Expressions and Rule Lists

192

(4)

Conditional Statement Limitations

196

(2)

Examining Booleans and Conditional Policies with Apol

198

(4)

Summary

202

(3)

Exercises

203

(2)

Object Labeling

205

(32)

Introduction to Object Labeling

206

(2)

File-Related Object Labeling

208

(13)

Extended Attribute Filesystems (fs_use_xattr)

211

(5)

Task-Based Filesystems (fs_use_task)

216

(1)

Transition-Based Filesystems (fs_use_trans)

216

(1)

Generalized Security Context Labeling (genfscon)

217

(4)

Network and Socket Object Labeling

221

(7)

Network Interface Labeling (netifcon)

222

(1)

Network Node Labeling (nodecon)

223

(2)

Network Port Labeling (portcon)

225

(2)

Socket Labeling

227

(1)

System V IPC

228

(1)

Miscellaneous Object Labeling

228

(2)

Capability Object Labeling

229

(1)

Process Object Labeling

229

(1)

System and Security Object Labeling

230

(1)

Initial Security Identifiers

230

(3)

Exploring Object Labeling with Apol

233

(2)

Summary

235

(2)

Exercises

236

(1)

Part III Creating and Writing SELinux Security Policies

237

(126)

Original Example Policy

239

(26)

Methods for Managing the Build Process

240

(2)

Strict Example Policy

242

(19)

Overview of Policy Source File Structure

244

(8)

Examining an Example Policy Module

252

(6)

Build Options for Strict Example Policy

258

(3)

Targeted Example Policy

261

(1)

Summary

262

(3)

Exercises

263

(2)

Reference Policy

265

(30)

Goals of the Reference Policy

266

(2)

Overview of Policy Source File Structure

268

(3)

Build and Support Files

268

(1)

Core Policy Files

269

(2)

Design Principles

271

(10)

Layering

271

(1)

Modularity

272

(9)

Examining a Reference Policy Module

281

(6)

Build Options for Reference Policy

287

(4)

The build.conf File

287

(2)

The modules.conf File

289

(2)

Summary

291

(4)

Exercises

292

(3)

Managing an SELinux System

295

(30)

SELinux Configuration and Policy Management Files

296

(11)

The SELinux Configuration File (/etc/selinux/config)

296

(3)

The Policy Directories

299

(8)

Impact of SELinux on System Administration

307

(16)

Managing Users

307

(5)

Understanding Audit Messages

312

(6)

Fixing Problems: File-Related Object Labeling

318

(5)

Managing Multiple Policies

323

(1)

Summary

323

(2)

Exercises

324

(1)

Writing Policy Modules

325

(38)

Overview of Writing a Policy Module

326

(1)

Preparation and Planning

327

(5)

Gathering Application Information

327

(1)

Creating a Test Environment

328

(4)

Specifying Security Goals

332

(1)

Creating an Initial Policy Module

332

(17)

Creating Policy Module Files

333

(1)

Declaring Types

333

(4)

Allowing Initial Restrictive Access

337

(5)

Allowing Domain Transitions and Authorizing Roles

342

(1)

Integrating into the System Policy

343

(2)

Creating the Labeling Policy

345

(2)

Applying the Policy

347

(2)

Testing and Analyzing the Policy

349

(6)

Testing the Policy Module

349

(5)

Policy Analysis

354

(1)

Emerging Policy Development Tools

355

(1)

Complete IRC Daemon Module Listings

355

(7)

Summary

362

(1)

Appendix A Obtaining SELinux Sample Policies

363

(6)

Example Policy

364

(3)

Example Policy from Upstream SELinux Sites

364

(1)

Strict and Targeted Policies for Fedora Core 4

365

(1)

Red Hat Enterprise Linux 4 (RHEL4)

366

(1)

Fedora Core Experimental and Test Policies

367

(1)

Reference Policy

367

(2)

Primary Reference Policy

368

(1)

Red Hat's Fedora Core 5 Reference Policy

368

(1)

Appendix B Participation and Further Information

369

(6)

The SELinux Mail List

370

(1)

The Annual SELinux Symposium

370

(1)

The NSA

371

(1)

Tresys Technology

371

(1)

Open Source Projects

371

(1)

The SELinux IRC Channel

372

(1)

The Fedora Core Site

372

(1)

Hardened Gentoo

372

(1)

Other Related Security Information

373

(2)

Appendix C Object Classes and Permissions

375

(26)

Common Permission Sets

376

(3)

Object Classes and Defined Permission Sets

379

(22)

File-Related Object Classes

379

(4)

Network and Socket Object Classes

383

(8)

System V IPC-Related Object Classes

391

(1)

Miscellaneous Object Classes

392

(9)

Appendix D SELinux Commands and Utilities

401

(8)

System Utilities

402

(4)

Policy Tools

402

(1)

SELinux Status Information

403

(1)

Security Context Labeling

404

(1)

Security Context Changing Utilities

405

(1)

SELinux Modified Commands

405

(1)

Policy Module Manual Pages

406

(1)

SETools Suite

406

(2)

Other SELinux Tools

408

(1)

Index

409

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Amazon no longer offers textbook rentals. We do!

SELinux by Example Using Security Enhanced Linux

SELinux by Example Using Security Enhanced Linux

0131963694

Summary

Author Biography

Table of Contents

Supplemental Materials

Excerpts

Write a Review