第1页 / 共240页
第2页 / 共240页
第3页 / 共240页
第4页 / 共240页
第5页 / 共240页
第6页 / 共240页
第7页 / 共240页
第8页 / 共240页
selinux cookbook.pdf
Cover
Copyright
Credits
About the Author
About the Reviewers
www.PacktPub.com
Table of Contents
Preface
Chapter 1: The SELinux Development Environment
Introduction
Creating the development environment
Building a simple SELinux module
Calling refpolicy interfaces
Creating our own interface
Using the refpolicy naming convention
Distributing SELinux policy modules
Chapter 2: Dealing with File Labels
Introduction
Defining file contexts through patterns
Using substitution definitions
Enhancing an SELinux policy with file transitions
Setting resource-sensitivity labels
Configuring sensitivity categories
Chapter 3: Confining Web Applications
Introduction
Listing conditional policy support
Enabling user directory support
Assigning web content types
Using different web server ports
Using custom content types
Creating a custom CGI domain
Setting up mod_selinux
Starting Apache with limited clearance
Mapping HTTP users to contexts
Using source address mapping to decide on contexts
Separating virtual hosts with mod_selinux
Chapter 4: Creating a Desktop Application Policy
Introduction
Researching the application's logical design
Creating a skeleton policy
Setting context definitions
Defining application role interfaces
Testing and enhancing the policy
Ignoring permissions we don't need
Creating application resource interfaces
Adding conditional policy rules
Adding build-time policy decisions
Chapter 5: Creating a Server Policy
Introduction
Understanding the service
Choosing resource types wisely
Differentiating policies based on use cases
Creating resource-access interfaces
Creating exec, run, and transition interfaces
Creating a stream-connect interface
Creating the administrative interface
Chapter 6: Setting Up Separate Roles
Introduction
Managing SELinux users
Mapping Linux users to SELinux users
Running commands in a specified role with sudo
Running commands in a specified role with runcon
Switching roles
Creating a new role
Initial role based on entry
Defining role transitions
Looking into access privileges
Chapter 7: Choosing the Confinement Level
Introduction
Finding common resources
Defining common helper domains
Documenting common privileges
Granting privileges to all clients
Creating a generic application domain
Building application-specific domains using templates
Using fine-grained application domain definitions
Chapter 8: Debugging SELinux
Introduction
Identifying whether SELinux is to blame
Analyzing SELINUX_ERR messages
Logging positive policy decisions
Looking through SELinux constraints
Ensuring an SELinux rule is never allowed
Using strace to clarify permission issues
Using strace against daemons
Auditing system behavior
Chapter 9: Aligning SELinux with DAC
Introduction
Assigning a different root location to regular services
Using a different root location for
SELinux-aware applications
Sharing user content with file ACLs
Enabling polyinstantiated directories
Configuring capabilities instead of setuid binaries
Using group membership for role-based access
Backing up and restoring files
Governing application network access
Chapter 10: Handling SELinux-aware Applications
Introduction
Controlling D-Bus message flows
Restricting service ownership
Understanding udev's SELinux integration
Using cron with SELinux
Checking the SELinux state programmatically
Querying SELinux userland configuration
in C
Interrogating the SELinux subsystem
code-wise
Running new processes in a new context
Reading the context of a resource
Index
SELinux Cookbook
Over 70 hands-on recipes to develop fully functional
policies to confine your applications and users
using SELinux
Sven Vermeulen
BIRMINGHAM - MUMBAI
SELinux Cookbook
Copyright © 2014 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, the information contained in this book is sold without
warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers
and distributors will be held liable for any damages caused or alleged to be caused directly or
indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies
and products mentioned in this book by the appropriate use of capitals. However, Packt
Publishing cannot guarantee the accuracy of this information.
First published: September 2014
Production reference: 1180914
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78398-966-9
www.packtpub.com
Cover image by Sarath Santhan (sarathsanthan@gmail.com)
Credits
Author
Sven Vermeulen
Reviewers
David Quigley
Sam Wilson
Jason Zaman
Lukáš Zapletal
Commissioning Editor
Usha Iyer
Acquisition Editor
Rebecca Youé
Project Coordinator
Venitha Cutinho
Proofreaders
Simran Bhogal
Paul Hindle
Indexers
Priya Sane
Tejal Soni
Graphics
Valentina D'silva
Disha Haria
Content Development Editors
Production Coordinators
Kyle Albuquerque
Aparna Bhagat
Komal Ramchandani
Cover Work
Komal Ramchandani
Dayan Hyames
Sankalp Pawar
Technical Editor
Mrunal Chavan
Copy Editors
Sayanee Mukherjee
Karuna Narayanan
Laxmi Subramanian
About the Author
Sven Vermeulen is a long-term contributor to various free software projects and the author
of various online guides and resources. He got his first taste of free software in 1997 and never
looked back. In 2003, he joined the ranks of the Gentoo Linux project as a documentation
developer and has since worked in several roles, including Gentoo Foundation trustee, council
member, project lead for various documentations, and (his current role) project lead for Gentoo
Hardened SELinux integration and the system integrity project.
During this time, Sven gained expertise in several technologies, ranging from operating system
level knowledge to application servers. He used his interest in security to guide his projects
further in the areas of security guides using SCAP languages, mandatory access controls
through SELinux, authentication with PAM, (application) firewalling, and more.
Within SELinux, Sven contributed several policies to the Reference Policy project, and he is
actively participating in the policy development and user space development projects.
In his daily job, Sven is an IT infrastructure architect with a European financial institution.
The secure implementation of infrastructures (and the surrounding architectural integration)
is, of course, an important part of this. Prior to this, he graduated as an MSE in Computer
Engineering from Ghent University, and then worked as a web application infrastructure
engineer using IBM WebSphere Application Server.
Sven is the main author of Gentoo Handbook, which covers the installation and configuration
of Gentoo Linux on several architectures. He has also authored the Linux Sea online publication,
which is a basic introduction to Linux for novice system administrators and SELinux System
Administration, Packt Publishing, which covers SELinux for system administrators.
I would like to dedicate this book to my godfather and friend, Jo Jagers,
who suddenly and unexpectedly passed away last year. He showed me the
importance of friendship and richness of life. His energetic approach to life
is still an example to me.
You will always be missed, my friend.
About the Reviewers
David Quigley started his career as a computer systems researcher for the National
Information Assurance Research Lab at the NSA, where he worked as a member of the
SELinux team. He led the design and implementation to provide Labeled NFS support for
SELinux. He has previously contributed to the open source community by maintaining the
Unionfs 1.0 code base and through code contributions to various other projects. He has
presented at conferences such as the Ottawa Linux Symposium, the StorageSS workshop,
LinuxCon, and several local Linux User Group meetings, where presentation topics included
storage, filesystems, and security. David currently works as a Computer Science Professional
for the Operations, Analytics, and Software Development (OASD) division at KEYW
Corporation, developing innovative system software for Unix and Windows platforms.
I would like to thank my wonderful wife, Kathy, for all she has done to make
sure I have the time to do things such as review this book and travel to
give presentations on SELinux. She is the joy of my life and has helped me
become the man I am today. I'd also like to thank all my children—Zoe, Jane,
and the twins—who remind us to love and cherish the time we have as a
family. Also, I thank my parents, Gary and Vicky, for supporting my decisions
to change my educational direction and become a computer scientist,
allowing me to be where I am today.
Sam Wilson is a systems and security engineer with a focus on Red Hat Enterprise Linux.
Having spent 2 years working as an information security consultant and also having passed
the Red Hat SELinux Policy Administration exam, he is often asked for SELinux advice within
teams he works with. Sam has been active in the GNU/Linux communities since early 2007
and has contributed to NTFreeNet, Darwin Community Arts, Ansible, and the Fedora project.
Sam can be found online at www.cycloptivity.net.
Jason Zaman is a graduate from Carnegie Mellon University with a degree in Electrical and
Computer Engineering. He has been interested in computers and open source and uses Linux
from a young age. After using Gentoo Linux for many years, he has now joined the Gentoo
Hardened and SELinux projects as a developer. Currently, he works in a start-up company
mainly doing Android development and system administration to maintain the servers.
Lukáš Zapletal works as a software engineer in the cloud division of Red Hat, where he
develops the Satellite 6.0 product and is also responsible for SELinux policies of the product.
He is part of the Fedora, Foreman, Katello, and OpenStack communities. He worked as an
Editor in Chief at Linux+ and cofounded the LinuxEXPRES (Czech) magazine.
Red Hat is the world's leading provider of open source solutions, using a community-powered
approach to provide reliable and high-performing cloud, virtualization, storage, Linux, and
middleware technologies.
I'd like to thank Mirek Grepl and Dan Walsh from the Red Hat SELinux team
for all their answers, and my family, Broňa and Ondra, for allowing me to
review this amazing book.
www.PacktPub.com
Support files, eBooks, discount offers, and more
You might want to visit www.PacktPub.com for support files and downloads related to
your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub
files available? You can upgrade to the eBook version at www.PacktPub.com and as a print
book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
service@packtpub.com for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up
for a range of free newsletters and receive exclusive discounts and offers on Packt books
and eBooks.
TM
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book
library. Here, you can access, read and search across Packt's entire library of books.
Why subscribe?
f Fully searchable across every book published by Packt
f Copy and paste, print and bookmark content
f On demand and accessible via web browser
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access
PacktLib today and view nine entirely free books. Simply use your login credentials for
immediate access.
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
