This book is based on our many years of working with, deploying, and helping evolve Security Enhanced Linux (SELinux). We have also created technical courses on SELinux, and in our teaching experience we have found that it is difficult to introduce entirely new and foreign notions of computer security to a new audience. In this book, we think we achieved a good balance between conceptual overview versus concrete, hands-on examples. Another challenge with this book is that SELinux is a new technology; although it has been incorporated into mainstream Linux distributions, it is still evolving. We and others have many innovative ongoing research and development projects to enhance SELinux in many ways. In this book, we face the challenge of describing a moving target. Fortunately, the core concepts of SELinux are fairly well established, and at least the kernel portion of the security enhancements are changing at a manageable pace. For the newer work, we describe the emerging technologies we believe are most important. AudienceThis book is primarily aimed at the person who most needs to make use of the security enhancements that SELinux brings to Linux. As you will see, this person is primarily interested in understanding, writing, modifying, and/or managing SELinux policies. You are such a person if you want to use SELinux to enhance the security of your application, system, or network. To make effective use of this book, you should have a good understanding of Linux/UNIX systems. The more familiar you are with the interworkings of the Linux kernel and key services, the easier it will be for you to understand the security object model that SELinux uses. However, as long as you have good working knowledge of Linux, its conventions, and filesystem layout, and/or its programming paradigms, you should have no problem with the material of this book. Users of systems that include SELinux (for example, Red Hat Enterprise Linux, Fedora Core, Gentoo, and Debian) will also find this book helpful. Although most users and system administrators will not likely write SELinux policy, understanding the SELinux policy language and security model will give you greater insights into the power of SELinux to afford you greater security. What You Will LearnThis book is all about writing SELinux security policies to make effective use of the security enhancements SELinux brings to Linux. That sounds simple, but in reality, you have to learn new ideas and understand the SELinux policy language before you can help you understand how to effectively use these enhancements. We divide the book into three parts around the learning steps you, as a student of SELinux, will traverse. The specific topics are as follows:
Our goal is to help you understand the details involved in SELinux so that you can create secure systems. Given the young nature of SELinux, we necessarily provide you with all the gory details of the low-level policy language. Remember, however, that much work is ongoing to make it easier to build secure systems without knowing all the low-level details. Where appropriate, we discuss this evolving work and help you understand how to write secure policies that can pass the scrutiny of independent review. Each chapter concludes with a summary of the key points we discuss in the chapter and exercises to reinforce your understanding of these points. Exercises range from thought experiments, to hands-on exploration, to modification of real security policies. They all will help enhance your understanding of SELinux. Summary of ChaptersWe divided this book into three parts, each of which contains several chapters: Part I, "SELinux Overview." This part provides the background of SELinux evolution and an overview of its security concepts and architecture.
Part II, "SELinux Policy Language." This part contains a detailed description of the entire SELinux policy language syntax and semantics. Each chapter addresses a portion of the language. This part of the book can be viewed as a policy language reference.
Part III, "Creating and Writing SELinux Security Policies." In this final part, we show you how to make use of the policy language, discussing methods for building security policies and insights into administering an SELinux system and writing and debugging SELinux policy modules.
Appendixes. We have included several appendixes with additional reference material:
How to Use This BookRarely does one read a technical book cover to cover. Most people want to understand a particular item or begin exploring the technology as soon as possible. Although reading the book cover to cover is certainly an option, we also recommend an alternative strategy. Thoroughly read and understand Part I (Chapters 13); this part provides you with the necessary background and conceptual insights to understand SELinux. In particular, carefully read and study Chapter 2. You may want to skim Part II (Chapters 410) to get a sense of the content of these chapters. These chapters are loaded with the details of the SELinux policy language. For most people, there are too many details to absorb as part of a strategy to first learn about SELinux. As a strategy, you might want to carefully read Chapter 5 and skim Chapters 4 and 10. These chapters cover the SELinux policy language elements that are most used by policy writers. Finally, read the chapters of Part III (Chapters 1114) that address the issues in which you are interested. Use Part II as a reference as you read these chapters. Sidebars, Notes, Warnings, and TipsWe make extensive use of sidebars and notes throughout this book to provide additional information or emphasis on certain items. We also include a number of warnings and tips. Following are the conventional purposes for each of these within this book:
Typographical ConventionsAll technical books must use some form of typographical convention to better communicate with the reader. This is especially true due to heavy overloading of terminology, and SELinux is no different. In general, we use italics to introduce a key concept at the point where we define the concept (usually first use or near the first use). We also use italics for emphasis. For a particularly strong point of emphasis, we use a bold font. Throughout this book, we use a fixed-width font for any SELinux policy language element (allow), user commands (ps, ls), or anything you would type or see on the computer. For longer listings that show commands and their output, we use the Bourne shell standard prompts of # (for root shells) and $ (for ordinary user shells). User input (that is, something that you type) is also in bold and fix-width fonts in listings. For example: # ls -lZ /etc/selinux/ -rw-r--r-- root root system_u:object_r:selinux_config_t config drwxr-xr-x root root system_u:object_r:selinux_config_t strict drwxr-xr-x root root system_u:object_r:selinux_config_t targeted When referring to library functions or system calls, we use the convention of including empty parentheses, such as execve(). We also use this convention for policy macros that take arguments, such as domain_auto_trans(). When referring you to the Linux manual page for additional information on a command or function, we use the convention of italics for the command or function and enclose the manual section within parentheses; for example, make (1), execve (2). Where to Get SELinuxSELinux is supported in several Linux distributions, including Red Hat Enterprise Linux, Red Hat Fedora Core, Gentoo, and Debian. Fedora Core has been the central platform around which the SELinux community has tested and integrated most of its innovations. Red Hat Enterprise Linux, version 4 (RHEL4), is the first large commercial distribution to fully support a version of SELinux. Nearly everything we discuss in this book is relevant to RHEL4 and other Linux distributions. We chose to base this book on Fedora Core 4 (FC4), which is a version of Fedora Core released after RHEL4. Everything we discuss should work on an FC4 system. During the eight months it took us to write this book, FC4 evolved, was tested, and released. As we finish this book, Fedora Core 5 (FC5) was just released. FC5 incorporates many new SELinux innovations, many of which the authors had a principle role in developing. The new FC5 features are probably a good indicator of what is likely to show up in RHEL5. As much as practical, throughout this book we note new features and capabilities available in FC5 and not in FC4. Also, where applicable, we note features in FC4 that are not supported in the older RHEL4. If you are an enterprise user or developer, you are likely using RHEL4 or planning to use RHEL5. We currently use RHEL4 for our enterprise developments and products. If you are an SELinux developer or early adopter, you are probably using a version of Fedora Core or some other distribution. In all cases, this book should provide you extensive information about how to use SELinux and develop SELinux policies. How to Get the Book's Sample PoliciesThroughout this book, we give example pieces of SELinux policies. These examples are based on the strict Fedora Core 4 policy as distributed by Red Hat. We discuss this policy in more detail in Chapter 11. FC4 comes standard with a targeted (and not strict) policy, so you must go through additional steps to get the policy upon which our examples are based. In Part III, we broaden our perspective on sample policies to include other types of policies. We provide instructions in Appendix A on how to get the sources for all the various sample policies we discuss in this book. |