SELinux by Example: Using Security Enhanced Linux

book cover
SELinux by Example: Using Security Enhanced Linux
By Frank Mayer,, Karl MacMillan,, David Caplan
Publisher: Prentice Hall
Pub Date: July 27, 2006
Print ISBN-10: 0-131-96369-4
Print ISBN-13: 978-0-13-196369-6
Pages: 456

Table of Contents  | Index


SELinux: Bring World-Class Security to Any Linux Environment!


SELinux offers Linux/UNIX integrators, administrators, and developers a state-of-the-art platform for building and maintaining highly secure solutions. Now that SELinux is included in the Linux 2.6 kerneland delivered by default in Fedora Core, Red Hat Enterprise Linux, and other major distributionsit's easier than ever to take advantage of its benefits.


SELinux by Example is the first complete, hands-on guide to using SELinux in production environments. Authored by three leading SELinux researchers and developers, it illuminates every facet of working with SELinux, from its architecture and security object model to its policy language. The book thoroughly explains SELinux sample policies including the powerful new Reference Policyshowing how to quickly adapt them to your unique environment. It also contains a comprehensive SELinux policy language reference and covers exciting new features in Fedora Core 5 and the upcoming Red Hat Enterprise Linux version 5.


• Thoroughly understand SELinux's access control and security mechanisms

• Use SELinux to construct secure systems from the ground up

• Gain fine-grained control over kernel resources

• Write policy statements for type enforcement, roles, users, and constraints

• Use optional multilevel security to enforce information classification and manage users with diverse clearances

• Create conditional policies that can be changed on-the-fly

• Define, manage, and maintain SELinux security policies

• Develop and write new SELinux security policy modules

• Leverage emerging SELinux technologies to gain even greater flexibility

• Effectively administer any SELinux system

book cover
SELinux by Example: Using Security Enhanced Linux
By Frank Mayer,, Karl MacMillan,, David Caplan
Publisher: Prentice Hall
Pub Date: July 27, 2006
Print ISBN-10: 0-131-96369-4
Print ISBN-13: 978-0-13-196369-6
Pages: 456

Table of Contents  | Index

   Prentice Hall Open Source Software Development Series
   About the Authors
    Part I:  SELinux Overview
      Chapter 1.  Background
      Section 1.1.  The Inevitability of Software Failure
      Section 1.2.  The Evolution of Access Control Security in Operating Systems
      Section 1.3.  Summary
      Chapter 2.  Concepts
      Section 2.1.  Security Contexts for Type Enforcement
      Section 2.2.  Type Enforcement Access Control
      Section 2.3.  The Role of Roles
      Section 2.4.  Multilevel Security in SELinux
      Section 2.5.  SELinux Features Familiarization
      Section 2.6.  Summary
      Chapter 3.  Architecture
      Section 3.1.  The Kernel Architecture
      Section 3.2.  Userspace Object Managers
      Section 3.3.  SELinux Policy Language
      Section 3.4.  Summary
    Part II:  SELinux Policy Language
      Chapter 4.  Object Classes and Permissions
      Section 4.1.  Purpose of Object Classes in SELinux
      Section 4.2.  Defining Object Classes in SELinux Policy
      Section 4.3.  Available Object Classes
      Section 4.4.  Object Class Permission Examples
      Section 4.5.  Exploring Object Classes with Apol
      Section 4.6.  Summary
      Chapter 5.  Type Enforcement
      Section 5.1.  Type Enforcement
      Section 5.2.  Types, Attributes, and Aliases
      Section 5.3.  Access Vector Rules
      Section 5.4.  Type Rules
      Section 5.5.  Exploring Type Enforcement Rules with Apol
      Section 5.6.  Summary
      Chapter 6.  Roles and Users
      Section 6.1.  Role-Based Access Control in SELinux
      Section 6.2.  Roles and Role Statements
      Section 6.3.  Users and User Statements
      Section 6.4.  Exploring Roles and Users with Apol
      Section 6.5.  Summary
      Chapter 7.  Constraints
      Section 7.1.  A Closer Look at the Access Decision Algorithm
      Section 7.2.  Constrain Statement
      Section 7.3.  Label Transition Constraints
      Section 7.4.  Summary
      Chapter 8.  Multilevel Security
      Section 8.1.  Multilevel Security Constraints
      Section 8.2.  Security Contexts with MLS
      Section 8.3.  MLS Constraints
      Section 8.4.  Other Impacts of MLS
      Section 8.5.  Summary
      Chapter 9.  Conditional Policies
      Section 9.1.  Overview of Conditional Policies
      Section 9.2.  Boolean Variables
      Section 9.3.  Conditional Statements
      Section 9.4.  Examining Booleans and Conditional Policies with Apol
      Section 9.5.  Summary
      Chapter 10.  Object Labeling
      Section 10.1.  Introduction to Object Labeling
      Section 10.2.  File-Related Object Labeling
      Section 10.3.  Network and Socket Object Labeling
      Section 10.4.  System V IPC
      Section 10.5.  Miscellaneous Object Labeling
      Section 10.6.  Initial Security Identifiers
      Section 10.7.  Exploring Object Labeling with Apol
      Section 10.8.  Summary
    Part III:  Creating and Writing SELinux Security Policies
      Chapter 11.  Original Example Policy
      Section 11.1.  Methods for Managing the Build Process
      Section 11.2.  Strict Example Policy
      Section 11.3.  Targeted Example Policy
      Section 11.4.  Summary
      Chapter 12.  Reference Policy
      Section 12.1.  Goals of the Reference Policy
      Section 12.2.  Overview of Policy Source File Structure
      Section 12.3.  Design Principles
      Section 12.4.  Examining a Reference Policy Module
      Section 12.5.  Build Options for Reference Policy
      Section 12.6.  Summary
      Chapter 13.  Managing an SELinux System
      Section 13.1.  SELinux Configuration and Policy Management Files
      Section 13.2.  Impact of SELinux on System Administration
      Section 13.3.  Summary
      Chapter 14.  Writing Policy Modules
      Section 14.1.  Overview of Writing a Policy Module
      Section 14.2.  Preparation and Planning
      Section 14.3.  Creating an Initial Policy Module
      Section 14.4.  Testing and Analyzing the Policy
      Section 14.5.  Emerging Policy Development Tools
      Section 14.6.  Complete IRC Daemon Module Listings
      Section 14.7.  Summary
      Appendix A.  Obtaining SELinux Sample Policies
      Section A.1.  Example Policy
      Section A.2.  Reference Policy
      Appendix B.  Participation and Further Information
      Section B.1.  The SELinux Mail List
      Section B.2.  The Annual SELinux Symposium
      Section B.3.  The NSA The
      Section B.4.  Tresys Technology
      Section B.5.  Open Source Projects
      Section B.6.  The SELinux IRC Channel
      Section B.7.  The Fedora Core Site
      Section B.8.  Hardened Gentoo
      Section B.9.  Other Related Security Information
      Appendix C.  Object Classes and Permissions
      Section C.1.  Common Permission Sets
      Section C.2.  Object Classes and Defined Permission Sets
      Appendix D.  SELinux Commands and Utilities
      Section D.1.  System Utilities
      Section D.2.  SETools Suite
      Section D.3.  Other SELinux Tools