Linux is a dominant player in many organizations and in the cloud. Securing the Linux environment is extremely important for any organization, and Security-Enhanced Linux (SELinux) acts as an additional layer to Linux system security.
SELinux System Administration covers basic SELinux concepts and shows you how to enhance Linux system protection measures. You will get to grips with SELinux and understand how it is integrated. As you progress, you'll get hands-on experience of tuning and configuring SELinux and integrating it into day-to-day administration tasks such as user management, network management, and application maintenance. Platforms such as Kubernetes, system services like systemd, and virtualization solutions like libvirt and Xen, all of which offer SELinux-specific controls, will be explained effectively so that you understand how to apply and configure SELinux within these applications. If applications do not exert the expected behavior, you'll learn how to fine-tune policies to securely host these applications. In case no policies exist, the book will guide you through developing custom policies on your own.
By the end of this Linux book, you'll be able to harden any Linux system using SELinux to suit your needs and fine-tune existing policies and develop custom ones to protect any app and service running on your Linux systems.
Author(s): Sven Vermeulen
Edition: 3
Publisher: Sven Vermeulen
Year: 2020
Language: English
Pages: 458
Cover
Title Page
Copyright and Credits
About Packt
Contributors
Table of Contents
Preface
Section 1: Using SELinux
Chapter 1: Fundamental SELinux Concepts
Technical requirements
Providing more security for Linux
Introducing Linux Security Modules (LSM)
Extending regular DAC with SELinux
Restricting root privileges
Reducing the impact of vulnerabilities
Enabling SELinux support
Labeling all resources and objects
Dissecting the SELinux context
Enforcing access through types
Granting domain access through roles
Limiting roles through users
Controlling information flow through sensitivities
Defining and distributing policies
Writing SELinux policies
Distributing policies through modules
Bundling modules in a policy store
Distinguishing between policies
Supporting MLS
Dealing with unknown permissions
Supporting unconfined domains
Limiting cross-user sharing
Incrementing policy versions
Different policy content
Summary
Questions
Chapter 2: Understanding SELinux Decisions and Logging
Technical requirements
Switching SELinux on and off
Setting the global SELinux state
Switching to permissive or enforcing mode
Using kernel boot parameters
Disabling SELinux protections for a single service
Understanding SELinux-aware applications
SELinux logging and auditing
Following audit events
Tuning the AVC
Uncovering more logging
Configuring Linux auditing
Configuring the local system logger
Reading SELinux denials
Other SELinux-related event types
Using ausearch
Getting help with denials
Troubleshooting with setroubleshoot
Sending emails when SELinux denials occur
Using audit2why
Interacting with systemd-journal
Using common sense
Summary
Questions
Chapter 3: Managing User Logins
Technical requirements
User-oriented SELinux contexts
SELinux users and roles
Listing SELinux user mappings
Mapping logins to SELinux users
Customizing logins for services
Creating SELinux users
Listing accessible domains
Managing categories
Handling SELinux roles
Defining allowed SELinux contexts
Validating contexts with getseuser
Switching roles with newrole
Managing role access through sudo
Reaching other domains using runcon
Switching to the system role
SELinux and PAM
Assigning contexts through PAM
Prohibiting access during permissive mode
Polyinstantiating directories
Summary
Questions
Chapter 4: Using File Contexts and Process Domains
Technical requirements
Introduction to SELinux file contexts
Getting context information
Interpreting SELinux context types
Keeping or ignoring contexts
Inheriting the default contexts
Querying transition rules
Copying and moving files
Temporarily changing file contexts
Placing categories on files and directories
Using multilevel security on files
Backing up and restoring extended attributes
Using mount options to set SELinux contexts
SELinux file context expressions
Using context expressions
Registering file context changes
Optimizing recursive context operations
Using customizable types
Compiling the different file_contexts files
Exchanging local modifications
Modifying file contexts
Using setfiles, rlpkg, and fixfiles
Relabeling the entire filesystem
Automatically setting context with restorecond
Setting SELinux context at boot with tmpfiles
The context of a process
Getting a process context
Transitioning toward a domain
Verifying a target context
Other supported transitions
Querying initial contexts
Tweaking memory protections
Limiting the scope of transitions
Sanitizing environments on transition
Disabling unconstrained transitions
Using Linux's NO_NEW_PRIVS
Types, permissions, and constraints
Understanding type attributes
Querying domain permissions
Learning about constraints
Summary
Questions
Chapter 5: Controlling Network Communications
Technical requirements
Controlling process communications
Using shared memory
Communicating locally through pipes
Conversing over UNIX domain sockets
Understanding netlink sockets
Dealing with TCP, UDP, and SCTP sockets
Listing connection contexts
Linux firewalling and SECMARK support
Introducing netfilter
Implementing security markings
Assigning labels to packets
Transitioning to nftables
Assessing eBPF
Securing high-speed InfiniBand networks
Directly accessing memory
Protecting InfiniBand networks
Managing the InfiniBand subnet
Controlling access to InfiniBand partitions
Understanding labeled networking
Fallback labeling with NetLabel
Limiting flows based on the network interface
Accepting peer communication from selected hosts
Verifying peer-to-peer flow
Using old-style controls
Using labeled IPsec with SELinux
Setting up regular IPsec
Enabling labeled IPsec
Supporting CIPSO with NetLabel and SELinux
Configuring CIPSO mappings
Adding domain-specific mappings
Using local CIPSO definitions
Supporting IPv6 CALIPSO
Summary
Questions
Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration
Technical requirements
Introducing the target settings and policies
The idempotency of actions
Policy and state management
SELinux configuration settings
Setting file contexts
Recovering from mistakes
Comparing frameworks
Using Ansible for SELinux system administration
How Ansible works
Installing and configuring Ansible
Creating and testing the Ansible role
Assigning SELinux contexts to filesystem resources with Ansible
Loading custom SELinux policies with Ansible
Using Ansible's out-of-the-box SELinux support
Utilizing SaltStack to configure SELinux
How SaltStack works
Installing and configuring SaltStack
Creating and testing our SELinux state with SaltStack
Assigning SELinux contexts to filesystem resources with SaltStack
Loading custom SELinux policies with SaltStack
Using SaltStack's out-of-the-box SELinux support
Automating system management with Puppet
How Puppet works
Installing and configuring Puppet
Creating and testing the SELinux class with Puppet
Assigning SELinux contexts to filesystem resources with Puppet
Loading custom SELinux policies with Puppet
Using Puppet's out-of-the-box SELinux support
Wielding Chef for system automation
How Chef works
Installing and configuring Chef
Creating the SELinux cookbook
Assigning SELinux contexts to filesystem resources with Chef
Loading custom SELinux policies with Chef
Using Chef's out-of-the-box SELinux support
Summary
Questions
Section 2: SELinux-Aware Platforms
Chapter 7: Configuring Application-Specific SELinux Controls
Technical requirements
Tuning systemd services, logging, and device management
Service support in systemd
Logging with systemd
Handling device files
Communicating over D-Bus
Understanding D-Bus
Controlling service acquisition with SELinux
Governing message flows
Configuring PAM services
Cockpit
Cron
OpenSSH
Using mod_selinux with Apache
Introducing mod_selinux
Configuring the general Apache SELinux sensitivity
Mapping end users to specific domains
Changing domains based on source
Summary
Questions
Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux
Technical requirements
Introducing PostgreSQL and sepgsql
Reconfiguring PostgreSQL with sepgsql
Creating a test account
Tuning sepgsql inside PostgreSQL
Troubleshooting sepgsql
Understanding SELinux's database-specific object classes and permissions
Understanding sepgsql permissions
Using the default supported types
Creating trusted procedures
Using sepgsql-specific functions
Using MCS and MLS
Limiting access to columns based on categories
Constraining the user domain for sensitivity range manipulation
Integrating SEPostgreSQL into the network
Creating a fallback label for remote sessions
Tuning the SELinux policy
Summary
Questions
Chapter 9: Secure Virtualization
Technical requirements
Understanding SELinux-secured virtualization
Introducing virtualization
Reviewing the risks of virtualization
Reusing existing virtualization domains
Fine-tuning virtualization-supporting SELinux policy
Understanding sVirt's use of MCS
Enhancing libvirt with SELinux support
Differentiating between shared and dedicated resources
Assessing the libvirt architecture
Configuring libvirt for sVirt
Changing a guest's SELinux labels
Customizing resource labels
Controlling available categories
Changing the storage pool locations
Using Vagrant with libvirt
Deploying Vagrant and the libvirt plugin
Installing a libvirt-compatible box
Configuring Vagrant boxes
Summary
Questions
Chapter 10: Using Xen Security Modules with FLASK
Technical requirements
Understanding Xen and XSM
Introducing the Xen hypervisor
Installing Xen
Creating an unprivileged guest
Understanding Xen Security Modules
Running XSM-enabled Xen
Rebuilding Xen with XSM support
Using XSM labels
Manipulating XSM
Applying custom XSM policies
Summary
Questions
Chapter 11: Enhancing the Security of Containerized Workloads
Technical requirements
Using SELinux with systemd's container support
Initializing a systemd container
Using a specific SELinux context
Facilitating container management with machinectl
Configuring podman
Selecting podman over Docker
Using containers with SELinux
Changing a container's SELinux domain
Creating custom domains with udica
Toggling container_t privileges with SELinux booleans
Tuning the container hosting environment
Leveraging Kubernetes' SELinux support
Configuring Kubernetes with SELinux support
Setting SELinux contexts for pods
Summary
Questions
Section 3: Policy Management
Chapter 12: Tuning SELinux Policies
Technical requirements
Working with SELinux booleans
Listing SELinux booleans
Changing boolean values
Inspecting the impact of a boolean
Handling policy modules
Listing policy modules
Loading and removing policy modules
Replacing and updating existing policies
Creating policies using audit2allow
Using sensible module names
Generating reference policy style modules with audit2allow
Building reference policy - style modules
Building legacy-style modules
Replacing the default distribution policy
Summary
Questions
Chapter 13: Analyzing Policy Behavior
Technical requirements
Performing single-step analysis
Using different SELinux policy files
Displaying policy object information
Understanding sesearch
Querying allow rules
Querying type transition rules
Querying other type rules
Querying role-related rules
Browsing with apol
Using apol workspaces
Investigating domain transitions
Using apol for domain transition analysis
Using sedta for domain transition analysis
Using sepolicy for domain transition analysis
Analyzing information flow
Using apol for information flow analysis
Using seinfoflow for information flow analysis
Using sepolicy communicate for simple information flow analysis
Comparing policies
Using sediff to compare policies
Summary
Questions
Chapter 14: Dealing with New Applications
Technical requirements
Running applications without restrictions
Understanding how unconfined domains work
Making new applications run as an unconfined domain
Extending unconfined domains
Marking domains as permissive
Using sandboxed applications
Understanding the SELinux sandbox
Using the sandbox command
Assigning common policies to new applications
Understanding domain complexity
Running applications in a specific policy
Extending generated policies
Understanding the limitations of generated policies
Introducing sepolicy generate
Generating policies with sepolicy generate
Summary
Questions
Chapter 15: Using the Reference Policy
Technical requirements
Introducing the reference policy
Navigating the policy
Structuring policy modules
Using and understanding the policy macros
Making use of single-class permission groups
Calling permission groups
Creating application-level policies
Constructing network-facing service policies
Addressing user applications
Adding user-level policies
Getting help with supporting tools
Verifying code with selint
Querying the interfaces and macros locally
Summary
Questions
Chapter 16: Developing Policies with SELinux CIL
Technical requirements
Introducing CIL
Translating .pp files to CIL
Understanding CIL syntax
Creating fine-grained definitions
Depending on roles or types
Defining a new port type
Adding constraints to the policy
Building complete application policies
Using namespaces
Extending the policy with attribute assignments
Adding entry point information
Gradually extending the policy further
Introducing permission sets
Adding macros
Summary
Questions
Assessments
Other Books You May Enjoy
Index
