| Having completed this chapter, you know quite a bit about SELinux and typical SELinux policies. If you're content to run only relatively popular applications and prefer to rely on others for assistance in troubleshooting and fixing the occasional problems that you're likely to run into when using SELinux, you'll know pretty much all you need to know. But typical Linux users are seldom so complacent. Those that desire even greater control over their computing affairs have merely begun to learn what they need to know about SELinux. This book has covered the fundamentals. But the SELinux policy is a sophisticated software unit whose mastery demands significant study and experimentation. Moreover, SELinux is still a relatively new software product and is constantly undergoing change. So in working with SELinux, you should anticipate that you will encounter many interesting puzzles and challenges. If you resemble the typical Linux user , you'll enjoy tackling and overcoming these. You should also anticipate that your growing SELinux expertise will enable you to better secure your systems and applications, which should help you ”and your management ”sleep more soundly. SELinux and the SELinux sample policy are powerful tools for securing systems. But like other security tools, their proper installation and ongoing use demand significant expertise. From this book, you can learn how SELinux works and the syntax and semantics of the SELinux policy language. But mastery of SELinux demands thorough understanding of the policy domains associated with principal programs and applications installed on your systems. And since SELinux and its policies are regularly updated and improved, understanding arises only from an ongoing process of study and learning. Here are some tips for developing a progressively greater understanding of SELinux: -
Maintain at least one system dedicated for testing new and revised SELinux policies and releases. -
Begin a study of the TE files associated with important programs and applications. -
Regularly review postings to relevant e-mail lists such as fedora-selinux-list@redhat.com and SELinux@tycho.nsa.gov. -
Experiment by creating new policies and observing the results. May all your policies build correctly the first time and authorize neither too few nor too many permissions! | 