Preface


This book is based on our many years of working with, deploying, and helping evolve Security Enhanced Linux (SELinux). We have also created technical courses on SELinux, and in our teaching experience we have found that it is difficult to introduce entirely new and foreign notions of computer security to a new audience. In this book, we think we achieved a good balance between conceptual overview versus concrete, hands-on examples.

Another challenge with this book is that SELinux is a new technology; although it has been incorporated into mainstream Linux distributions, it is still evolving. We and others have many innovative ongoing research and development projects to enhance SELinux in many ways. In this book, we face the challenge of describing a moving target. Fortunately, the core concepts of SELinux are fairly well established, and at least the kernel portion of the security enhancements are changing at a manageable pace. For the newer work, we describe the emerging technologies we believe are most important.

Audience

This book is primarily aimed at the person who most needs to make use of the security enhancements that SELinux brings to Linux. As you will see, this person is primarily interested in understanding, writing, modifying, and/or managing SELinux policies. You are such a person if you want to use SELinux to enhance the security of your application, system, or network.

To make effective use of this book, you should have a good understanding of Linux/UNIX systems. The more familiar you are with the interworkings of the Linux kernel and key services, the easier it will be for you to understand the security object model that SELinux uses. However, as long as you have good working knowledge of Linux, its conventions, and filesystem layout, and/or its programming paradigms, you should have no problem with the material of this book.

Users of systems that include SELinux (for example, Red Hat Enterprise Linux, Fedora Core, Gentoo, and Debian) will also find this book helpful. Although most users and system administrators will not likely write SELinux policy, understanding the SELinux policy language and security model will give you greater insights into the power of SELinux to afford you greater security.

What You Will Learn

This book is all about writing SELinux security policies to make effective use of the security enhancements SELinux brings to Linux. That sounds simple, but in reality, you have to learn new ideas and understand the SELinux policy language before you can help you understand how to effectively use these enhancements.

We divide the book into three parts around the learning steps you, as a student of SELinux, will traverse. The specific topics are as follows:

  • Part I

    Overview of mandatory access control

    Type enforcement concepts and applications

    SELinux architecture and mechanisms

  • Part II

    Details of the SELinux native policy language syntax and semantics

    Object labeling in SELinux

  • Part III

    Two primary methods developed to build SELinux policies: the example policy and the reference policy

    Impacts of SELinux on system administration

    How to write policy modules for SELinux

Our goal is to help you understand the details involved in SELinux so that you can create secure systems. Given the young nature of SELinux, we necessarily provide you with all the gory details of the low-level policy language. Remember, however, that much work is ongoing to make it easier to build secure systems without knowing all the low-level details. Where appropriate, we discuss this evolving work and help you understand how to write secure policies that can pass the scrutiny of independent review.

Each chapter concludes with a summary of the key points we discuss in the chapter and exercises to reinforce your understanding of these points. Exercises range from thought experiments, to hands-on exploration, to modification of real security policies. They all will help enhance your understanding of SELinux.

Summary of Chapters

We divided this book into three parts, each of which contains several chapters:

Part I, "SELinux Overview." This part provides the background of SELinux evolution and an overview of its security concepts and architecture.

Chapter 1, "Background." In this chapter, we discuss the evolution of access control in operating systems, kinds of access control mechanisms, their strengths and weaknesses, and the kind of access control SELinux brings to Linux.

Chapter 2, "Concepts." In this chapter, we provide a conceptual overview of SELinux security mechanisms in the form of a detailed tutorial. This chapter is a good, concise discussion of the security enhancements SELinux brings to Linux.

Chapter 3, "Architecture." In this chapter, we provide an overview of the SELinux architecture and implementation and an overview of the policy language architecture.

Part II, "SELinux Policy Language." This part contains a detailed description of the entire SELinux policy language syntax and semantics. Each chapter addresses a portion of the language. This part of the book can be viewed as a policy language reference.

Chapter 4, "Object Classes and Permissions." In this chapter, we describe how SELinux controls kernel resources using object classes and defines fine-grained permissions to those object classes.

Chapter 5, "Type Enforcement Policy." In this chapter, we describe all the core policy language rules and statements that enable us to write a type enforcement policy. Type enforcement is the central access control feature of SELinux.

Chapter 6, "Roles and Users." In this chapter, we discuss the SELinux role-based access control mechanism and how roles and users in the policy language support the type enforcement policy.

Chapter 7, "Constraints." In this chapter, we discuss the constraint feature of the SELinux policy language, which is a means to provide restrictions within the policy that support the type of enforcement policy.

Chapter 8, "Multilevel Security." In this chapter, we describe the policy language features that allow for optional multilevel security access controls in addition to the core type of enforcement access controls.

Chapter 9, "Conditional Policies." In this chapter, we discuss an enhancement to the policy language that enables us to make portions of the type enforcement policy conditional on Boolean expressions whose values can be changed during the course of operation on a production system.

Chapter 10, "Object Labeling." In this chapter, we finish our discussion of the policy language by examining how objects are labeled and how we manage those labels in support of SELinux-enhanced access control.

Part III, "Creating and Writing SELinux Security Policies." In this final part, we show you how to make use of the policy language, discussing methods for building security policies and insights into administering an SELinux system and writing and debugging SELinux policy modules.

Chapter 11, "Original Example Policy." In this chapter, we discuss the example policy, which is a method (source files, build tools and conventions, and so on) for building an SELinux policy that has evolved over the years from the original example policy released with SELinux by the National Security Agency. Fedora Core 4 and Red Hat Enterprise Linux come standard with policies based on the example policy.

Chapter 12, "Reference Policy." In this chapter, we discuss a new method for building an SELinux policy that provides all the features of the example policy along with support for emerging SELinux technology. The more recent Fedora Core 5 uses reference policy as its policy foundation.

Chapter 13, "Managing an SELinux System." In this chapter, we discuss how SELinux impacts the administration of a Linux system.

Chapter 14, "Writing Policy Modules." In this final chapter, we bring all that you have learned throughout the book into a guided tour on writing a policy module for both the example and reference policies.

Appendixes. We have included several appendixes with additional reference material:

Appendix A, "Obtaining SELinux Sample Policies." This appendix provides instructions on how to obtain the sample policy source files we discuss in this book.

Appendix B, "Participation and Further Information." This chapter lists sources of additional information on SELinux and describes how you can further participate in the development of SELinux.

Appendix C, "Object Class Reference." This chapter provides a detailed dictionary of all SELinux kernel object classes and associated permissions.

Appendix D, "SELinux Commands and Utilities." This chapter provides a summary of utilities and third-party tools available to help with developing SELinux policies and managing SELinux systems.

How to Use This Book

Rarely does one read a technical book cover to cover. Most people want to understand a particular item or begin exploring the technology as soon as possible. Although reading the book cover to cover is certainly an option, we also recommend an alternative strategy.

Thoroughly read and understand Part I (Chapters 13); this part provides you with the necessary background and conceptual insights to understand SELinux. In particular, carefully read and study Chapter 2. You may want to skim Part II (Chapters 410) to get a sense of the content of these chapters. These chapters are loaded with the details of the SELinux policy language. For most people, there are too many details to absorb as part of a strategy to first learn about SELinux. As a strategy, you might want to carefully read Chapter 5 and skim Chapters 4 and 10. These chapters cover the SELinux policy language elements that are most used by policy writers. Finally, read the chapters of Part III (Chapters 1114) that address the issues in which you are interested. Use Part II as a reference as you read these chapters.

Sidebars, Notes, Warnings, and Tips

We make extensive use of sidebars and notes throughout this book to provide additional information or emphasis on certain items. We also include a number of warnings and tips. Following are the conventional purposes for each of these within this book:

  • Sidebars. We use sidebars primarily for two purposes. First, we use them for additional information that is not directly covered within the main text of the chapter. For example, we use sidebars to highlight differences between various versions of SELinux or to discuss in detail a particular concept that might be of interest to the reader. We also use sidebars to document the complete syntax of all SELinux policy language statements throughout Part II. These syntax sidebars provide a quick reference for the various policy language elements.

  • Notes. We use notes to provide additional emphasis on certain points. Usually notes are short items of additional clarification or detail.

  • Warnings. Warnings are used much like notes except that they emphasize something that requires additional caution or strong emphasis.

  • Tips. Tips provide quick hints and suggestions about how to perform a given function or make something easier.

Typographical Conventions

All technical books must use some form of typographical convention to better communicate with the reader. This is especially true due to heavy overloading of terminology, and SELinux is no different. In general, we use italics to introduce a key concept at the point where we define the concept (usually first use or near the first use). We also use italics for emphasis. For a particularly strong point of emphasis, we use a bold font.

Throughout this book, we use a fixed-width font for any SELinux policy language element (allow), user commands (ps, ls), or anything you would type or see on the computer.

For longer listings that show commands and their output, we use the Bourne shell standard prompts of # (for root shells) and $ (for ordinary user shells). User input (that is, something that you type) is also in bold and fix-width fonts in listings. For example:

# ls -lZ /etc/selinux/ -rw-r--r-- root   root     system_u:object_r:selinux_config_t config drwxr-xr-x root   root     system_u:object_r:selinux_config_t strict drwxr-xr-x root   root     system_u:object_r:selinux_config_t targeted


When referring to library functions or system calls, we use the convention of including empty parentheses, such as execve(). We also use this convention for policy macros that take arguments, such as domain_auto_trans(). When referring you to the Linux manual page for additional information on a command or function, we use the convention of italics for the command or function and enclose the manual section within parentheses; for example, make (1), execve (2).

Where to Get SELinux

SELinux is supported in several Linux distributions, including Red Hat Enterprise Linux, Red Hat Fedora Core, Gentoo, and Debian. Fedora Core has been the central platform around which the SELinux community has tested and integrated most of its innovations. Red Hat Enterprise Linux, version 4 (RHEL4), is the first large commercial distribution to fully support a version of SELinux. Nearly everything we discuss in this book is relevant to RHEL4 and other Linux distributions.

We chose to base this book on Fedora Core 4 (FC4), which is a version of Fedora Core released after RHEL4. Everything we discuss should work on an FC4 system. During the eight months it took us to write this book, FC4 evolved, was tested, and released. As we finish this book, Fedora Core 5 (FC5) was just released. FC5 incorporates many new SELinux innovations, many of which the authors had a principle role in developing. The new FC5 features are probably a good indicator of what is likely to show up in RHEL5. As much as practical, throughout this book we note new features and capabilities available in FC5 and not in FC4. Also, where applicable, we note features in FC4 that are not supported in the older RHEL4.

If you are an enterprise user or developer, you are likely using RHEL4 or planning to use RHEL5. We currently use RHEL4 for our enterprise developments and products. If you are an SELinux developer or early adopter, you are probably using a version of Fedora Core or some other distribution. In all cases, this book should provide you extensive information about how to use SELinux and develop SELinux policies.

How to Get the Book's Sample Policies

Throughout this book, we give example pieces of SELinux policies. These examples are based on the strict Fedora Core 4 policy as distributed by Red Hat. We discuss this policy in more detail in Chapter 11. FC4 comes standard with a targeted (and not strict) policy, so you must go through additional steps to get the policy upon which our examples are based. In Part III, we broaden our perspective on sample policies to include other types of policies. We provide instructions in Appendix A on how to get the sources for all the various sample policies we discuss in this book.




SELinux by Example(c) Using Security Enhanced Linux
SELinux by Example: Using Security Enhanced Linux
ISBN: 0131963694
EAN: 2147483647
Year: 2007
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net