| | Copyright |
| | Prentice Hall Open Source Software Development Series |
| | Acknowledgments |
| | About the Authors |
| | Preface |
| | Part I: SELinux Overview |
| | | Chapter 1. Background |
| | | Section 1.1. The Inevitability of Software Failure |
| | | Section 1.2. The Evolution of Access Control Security in Operating Systems |
| | | Section 1.3. Summary |
| | | Exercises |
| | | Chapter 2. Concepts |
| | | Section 2.1. Security Contexts for Type Enforcement |
| | | Section 2.2. Type Enforcement Access Control |
| | | Section 2.3. The Role of Roles |
| | | Section 2.4. Multilevel Security in SELinux |
| | | Section 2.5. SELinux Features Familiarization |
| | | Section 2.6. Summary |
| | | Exercises |
| | | Chapter 3. Architecture |
| | | Section 3.1. The Kernel Architecture |
| | | Section 3.2. Userspace Object Managers |
| | | Section 3.3. SELinux Policy Language |
| | | Section 3.4. Summary |
| | | Exercises |
| | Part II: SELinux Policy Language |
| | | Chapter 4. Object Classes and Permissions |
| | | Section 4.1. Purpose of Object Classes in SELinux |
| | | Section 4.2. Defining Object Classes in SELinux Policy |
| | | Section 4.3. Available Object Classes |
| | | Section 4.4. Object Class Permission Examples |
| | | Section 4.5. Exploring Object Classes with Apol |
| | | Section 4.6. Summary |
| | | Exercises |
| | | Chapter 5. Type Enforcement |
| | | Section 5.1. Type Enforcement |
| | | Section 5.2. Types, Attributes, and Aliases |
| | | Section 5.3. Access Vector Rules |
| | | Section 5.4. Type Rules |
| | | Section 5.5. Exploring Type Enforcement Rules with Apol |
| | | Section 5.6. Summary |
| | | Exercises |
| | | Chapter 6. Roles and Users |
| | | Section 6.1. Role-Based Access Control in SELinux |
| | | Section 6.2. Roles and Role Statements |
| | | Section 6.3. Users and User Statements |
| | | Section 6.4. Exploring Roles and Users with Apol |
| | | Section 6.5. Summary |
| | | Exercises |
| | | Chapter 7. Constraints |
| | | Section 7.1. A Closer Look at the Access Decision Algorithm |
| | | Section 7.2. Constrain Statement |
| | | Section 7.3. Label Transition Constraints |
| | | Section 7.4. Summary |
| | | Exercises |
| | | Chapter 8. Multilevel Security |
| | | Section 8.1. Multilevel Security Constraints |
| | | Section 8.2. Security Contexts with MLS |
| | | Section 8.3. MLS Constraints |
| | | Section 8.4. Other Impacts of MLS |
| | | Section 8.5. Summary |
| | | Exercises |
| | | Chapter 9. Conditional Policies |
| | | Section 9.1. Overview of Conditional Policies |
| | | Section 9.2. Boolean Variables |
| | | Section 9.3. Conditional Statements |
| | | Section 9.4. Examining Booleans and Conditional Policies with Apol |
| | | Section 9.5. Summary |
| | | Exercises |
| | | Chapter 10. Object Labeling |
| | | Section 10.1. Introduction to Object Labeling |
| | | Section 10.2. File-Related Object Labeling |
| | | Section 10.3. Network and Socket Object Labeling |
| | | Section 10.4. System V IPC |
| | | Section 10.5. Miscellaneous Object Labeling |
| | | Section 10.6. Initial Security Identifiers |
| | | Section 10.7. Exploring Object Labeling with Apol |
| | | Section 10.8. Summary |
| | | Exercises |
| | Part III: Creating and Writing SELinux Security Policies |
| | | Chapter 11. Original Example Policy |
| | | Section 11.1. Methods for Managing the Build Process |
| | | Section 11.2. Strict Example Policy |
| | | Section 11.3. Targeted Example Policy |
| | | Section 11.4. Summary |
| | | Exercises |
| | | Chapter 12. Reference Policy |
| | | Section 12.1. Goals of the Reference Policy |
| | | Section 12.2. Overview of Policy Source File Structure |
| | | Section 12.3. Design Principles |
| | | Section 12.4. Examining a Reference Policy Module |
| | | Section 12.5. Build Options for Reference Policy |
| | | Section 12.6. Summary |
| | | Exercises |
| | | Chapter 13. Managing an SELinux System |
| | | Section 13.1. SELinux Configuration and Policy Management Files |
| | | Section 13.2. Impact of SELinux on System Administration |
| | | Section 13.3. Summary |
| | | Exercises |
| | | Chapter 14. Writing Policy Modules |
| | | Section 14.1. Overview of Writing a Policy Module |
| | | Section 14.2. Preparation and Planning |
| | | Section 14.3. Creating an Initial Policy Module |
| | | Section 14.4. Testing and Analyzing the Policy |
| | | Section 14.5. Emerging Policy Development Tools |
| | | Section 14.6. Complete IRC Daemon Module Listings |
| | | Section 14.7. Summary |
| | | Appendix A. Obtaining SELinux Sample Policies |
| | | Section A.1. Example Policy |
| | | Section A.2. Reference Policy |
| | | Appendix B. Participation and Further Information |
| | | Section B.1. The SELinux Mail List |
| | | Section B.2. The Annual SELinux Symposium |
| | | Section B.3. The NSA The |
| | | Section B.4. Tresys Technology |
| | | Section B.5. Open Source Projects |
| | | Section B.6. The SELinux IRC Channel |
| | | Section B.7. The Fedora Core Site |
| | | Section B.8. Hardened Gentoo |
| | | Section B.9. Other Related Security Information |
| | | Appendix C. Object Classes and Permissions |
| | | Section C.1. Common Permission Sets |
| | | Section C.2. Object Classes and Defined Permission Sets |
| | | Appendix D. SELinux Commands and Utilities |
| | | Section D.1. System Utilities |
| | | Section D.2. SETools Suite |
| | | Section D.3. Other SELinux Tools |
| | Index |