SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open Source Software Development Series)

Paperback (Print)
Buy New
Buy New from BN.com
$35.02
Used and New from Other Sellers
Used and New from Other Sellers
from $10.10
Usually ships in 1-2 business days
(Save 79%)
Other sellers (Paperback)
  • All (11) from $10.10   
  • New (5) from $33.07   
  • Used (6) from $10.10   

Overview

SELinux: Bring World-Class Security to Any Linux Environment!

SELinux offers Linux/UNIX integrators, administrators, and developers a state-of-the-art platform for building and maintaining highly secure solutions. Now that SELinux is included in the Linux 2.6 kernel—and delivered by default in Fedora Core, Red Hat Enterprise Linux, and other major distributions—it’s easier than ever to take advantage
of its benefits.

SELinux by Example is the first complete, hands-on guide to using SELinux in production environments. Authored by three leading SELinux researchers and developers, it illuminates every facet of working with SELinux, from its architecture and security object model to its policy language. The book thoroughly explains SELinux sample policies— including the powerful new Reference Policy—showing how to quickly adapt them to your unique environment. It also contains a comprehensive SELinux policy language reference and covers exciting new features in Fedora Core 5 and the upcoming Red Hat Enterprise Linux version 5.

• Thoroughly understand SELinux’s access control and security mechanisms

• Use SELinux to construct secure systems from the ground up

• Gain fine-grained control over kernel resources

• Write policy statements for type enforcement, roles, users, and constraints

• Use optional multilevel security to enforce information classification and manage users with diverse clearances

• Create conditional policies that can be changed on-the-fly

• Define, manage, and maintain SELinux security policies

• Develop and write new SELinux security policy modules

• Leverage emerging SELinux technologies to gain even greater flexibility

• Effectively administer any SELinux system

Read More Show Less

Editorial Reviews

From the Publisher

"The three authors are well versed in the topic and comprise the best team to write on SELinux that you could find. Even though it is written as a straightforward text - as opposed to a study guide - I appreciate how each chapter ends with a summary and then exercises to reinforce what you've just finished reading. "--Emmett Dulaney, Editor, UnixReview.com

"This is a very good book and is easily the best I've seen yet on the subject of SELinux. If you've been tasked with maintaining an SELinux-enabled machine, would like to write or enhance existing SELinux policy, or just want to understand what SELinux is and how it came to be, then this is the book for you. "--Ryan Maple, Reviewer, LinuxSecurity.com

Read More Show Less

Product Details

Meet the Author

Frank Mayer is cofounder and Chief Technology Officer of Tresys Technology, and has 23 years of experience in the design, development, and analysis of secure oper­ating systems. He has been an active contributor to SELinux for six years, and has initiated and participated in the development of many new SELinux innovations and tools. He also chairs the annual SELinux Symposium. Frank has published many papers on secure and trustworthy operating systems, and has also explored security in parallel computing, networks, and enterprise applications.

Karl MacMillan is an active contributor in the SELinux community and has led the development of many important SELinux features. He is also a sought after speaker and consultant, and has helped many individuals and organizations under­stand and apply strong computer security with SELinux. Previous to his work on SELinux, Karl made important contributions in the fields of pattern recognition and evolutionary computing as applied to document and audio recognition, where he has numerous published papers.

David Caplan is a senior security engineer at Tresys Technology with over 20 years of experience in computer security and a wide range of other programming- and software-related areas. He has worked with SELinux for six years as a contributor to many of the SELinux-related open source projects and has led multiple efforts in analyzing and constructing SELinux policy for a variety of systems.

Read More Show Less

Read an Excerpt

PrefacePreface

This book is based on our many years of working with, deploying, and helping evolve Security Enhanced Linux (SELinux). We have also created technical courses on SELinux, and in our teaching experience we have found that it is difficult to introduce entirely new and foreign notions of computer security to a new audience. In this book, we think we achieved a good balance between conceptual overview versus concrete, hands-on examples.

Another challenge with this book is that SELinux is a new technology; although it has been incorporated into mainstream Linux distributions, it is still evolving. We and others have many innovative ongoing research and development projects to enhance SELinux in many ways. In this book, we face the challenge of describing a moving target. Fortunately, the core concepts of SELinux are fairly well established, and at least the kernel portion of the security enhancements are changing at a manageable pace. For the newer work, we describe the emerging technologies we believe are most important.

Audience

This book is primarily aimed at the person who most needs to make use of the security enhancements that SELinux brings to Linux. As you will see, this person is primarily interested in understanding, writing, modifying, and/or managing SELinux policies. You are such a person if you want to use SELinux to enhance the security of your application, system, or network.

To make effective use of this book, you should have a good understanding of Linux/UNIX systems. The more familiar you are with the interworkings of the Linux kernel and key services, the easier it will be for you to understand the security object model that SELinux uses. However, as long as you have good working knowledge of Linux, its conventions, and filesystem layout, and/or its programming paradigms, you should have no problem with the material of this book.

Users of systems that include SELinux (for example, Red Hat Enterprise Linux, Fedora Core, Gentoo, and Debian) will also find this book helpful. Although most users and system administrators will not likely write SELinux policy, understanding the SELinux policy language and security model will give you greater insights into the power of SELinux to afford you greater security.

What You Will Learn

This book is all about writing SELinux security policies to make effective use of the security enhancements SELinux brings to Linux. That sounds simple, but in reality, you have to learn new ideas and understand the SELinux policy language before you can help you understand how to effectively use these enhancements.

We divide the book into three parts around the learning steps you, as a student of SELinux, will traverse. The specific topics are as follows:

  • Part I

    Overview of mandatory access control

    Type enforcement concepts and applications

    SELinux architecture and mechanisms

  • Part II

    Details of the SELinux native policy language syntax and semantics

    Object labeling in SELinux

  • Part III

    Two primary methods developed to build SELinux policies: the example policy and the reference policy

    Impacts of SELinux on system administration

    How to write policy modules for SELinux

Our goal is to help you understand the details involved in SELinux so that you can create secure systems. Given the young nature of SELinux, we necessarily provide you with all the gory details of the low-level policy language. Remember, however, that much work is ongoing to make it easier to build secure systems without knowing all the low-level details. Where appropriate, we discuss this evolving work and help you understand how to write secure policies that can pass the scrutiny of independent review.

Each chapter concludes with a summary of the key points we discuss in the chapter and exercises to reinforce your understanding of these points. Exercises range from thought experiments, to hands-on exploration, to modification of real security policies. They all will help enhance your understanding of SELinux.

Summary of Chapters

We divided this book into three parts, each of which contains several chapters:

Part I, "SELinux Overview." This part provides the background of SELinux evolution and an overview of its security concepts and architecture.

Chapter 1, "Background." In this chapter, we discuss the evolution of access control in operating systems, kinds of access control mechanisms, their strengths and weaknesses, and the kind of access control SELinux brings to Linux.

Chapter 2, "Concepts." In this chapter, we provide a conceptual overview of SELinux security mechanisms in the form of a detailed tutorial. This chapter is a good, concise discussion of the security enhancements SELinux brings to Linux.

Chapter 3, "Architecture." In this chapter, we provide an overview of the SELinux architecture and implementation and an overview of the policy language architecture.

Part II, "SELinux Policy Language." This part contains a detailed description of the entire SELinux policy language syntax and semantics. Each chapter addresses a portion of the language. This part of the book can be viewed as a policy language reference.

Chapter 4, "Object Classes and Permissions." In this chapter, we describe how SELinux controls kernel resources using object classes and defines fine-grained permissions to those object classes.

Chapter 5, "Type Enforcement Policy." In this chapter, we describe all the core policy language rules and statements that enable us to write a type enforcement policy. Type enforcement is the central access control feature of SELinux.

Chapter 6, "Roles and Users." In this chapter, we discuss the SELinux role-based access control mechanism and how roles and users in the policy language support the type enforcement policy.

Chapter 7, "Constraints." In this chapter, we discuss the constraint feature of the SELinux policy language, which is a means to provide restrictions within the policy that support the type of enforcement policy.

Chapter 8, "Multilevel Security." In this chapter, we describe the policy language features that allow for optional multilevel security access controls in addition to the core type of enforcement access controls.

Chapter 9, "Conditional Policies." In this chapter, we discuss an enhancement to the policy language that enables us to make portions of the type enforcement policy conditional on Boolean expressions whose values can be changed during the course of operation on a production system.

Chapter 10, "Object Labeling." In this chapter, we finish our discussion of the policy language by examining how objects are labeled and how we manage those labels in support of SELinux-enhanced access control.

Part III, "Creating and Writing SELinux Security Policies." In this final part, we show you how to make use of the policy language, discussing methods for building security policies and insights into administering an SELinux system and writing and debugging SELinux policy modules.

Chapter 11, "Original Example Policy." In this chapter, we discuss the example policy, which is a method (source files, build tools and conventions, and so on) for building an SELinux policy that has evolved over the years from the original example policy released with SELinux by the National Security Agency. Fedora Core 4 and Red Hat Enterprise Linux come standard with policies based on the example policy.

Chapter 12, "Reference Policy." In this chapter, we discuss a new method for building an SELinux policy that provides all the features of the example policy along with support for emerging SELinux technology. The more recent Fedora Core 5 uses reference policy as its policy foundation.

Chapter 13, "Managing an SELinux System." In this chapter, we discuss how SELinux impacts the administration of a Linux system.

Chapter 14, "Writing Policy Modules." In this final chapter, we bring all that you have learned throughout the book into a guided tour on writing a policy module for both the example and reference policies.

Appendixes. We have included several appendixes with additional reference material:

Appendix A, "Obtaining SELinux Sample Policies." This appendix provides instructions on how to obtain the sample policy source files we discuss in this book.

Appendix B, "Participation and Further Information." This chapter lists sources of additional information on SELinux and describes how you can further participate in the development of SELinux.

Appendix C, "Object Class Reference." This chapter provides a detailed dictionary of all SELinux kernel object classes and associated permissions.

Appendix D, "SELinux Commands and Utilities." This chapter provides a summary of utilities and third-party tools available to help with developing SELinux policies and managing SELinux systems.

How to Use This Book

Rarely does one read a technical book cover to cover. Most people want to understand a particular item or begin exploring the technology as soon as possible. Although reading the book cover to cover is certainly an option, we also recommend an alternative strategy.

Thoroughly read and understand Part I (Chapters 1–3); this part provides you with the necessary background and conceptual insights to understand SELinux. In particular, carefully read and study Chapter 2. You may want to skim Part II (Chapters 4–10) to get a sense of the content of these chapters. These chapters are loaded with the details of the SELinux policy language. For most people, there are too many details to absorb as part of a strategy to first learn about SELinux. As a strategy, you might want to carefully read Chapter 5 and skim Chapters 4 and 10. These chapters cover the SELinux policy language elements that are most used by policy writers. Finally, read the chapters of Part III (Chapters 11–14) that address the issues in which you are interested. Use Part II as a reference as you read these chapters.

Sidebars, Notes, Warnings, and Tips

We make extensive use of sidebars and notes throughout this book to provide additional information or emphasis on certain items. We also include a number of warnings and tips. Following are the conventional purposes for each of these within this book:

  • Sidebars. We use sidebars primarily for two purposes. First, we use them for additional information that is not directly covered within the main text of the chapter. For example, we use sidebars to highlight differences between various versions of SELinux or to discuss in detail a particular concept that might be of interest to the reader. We also use sidebars to document the complete syntax of all SELinux policy language statements throughout Part II. These syntax sidebars provide a quick reference for the various policy language elements.
  • Notes. We use notes to provide additional emphasis on certain points. Usually notes are short items of additional clarification or detail.
  • Warnings. Warnings are used much like notes except that they emphasize something that requires additional caution or strong emphasis.
  • Tips. Tips provide quick hints and suggestions about how to perform a given function or make something easier.
Typographical Conventions

All technical books must use some form of typographical convention to better communicate with the reader. This is especially true due to heavy overloading of terminology, and SELinux is no different. In general, we use italics to introduce a key concept at the point where we define the concept (usually first use or near the first use). We also use italics for emphasis. For a particularly strong point of emphasis, we use a bold font.

Throughout this book, we use a fixed-width font for any SELinux policy language element (allow), user commands (ps, ls), or anything you would type or see on the computer.

For longer listings that show commands and their output, we use the Bourne shell standard prompts of # (for root shells) and $ (for ordinary user shells). User input (that is, something that you type) is also in bold and fix-width fonts in listings. For example:

# ls -lZ /etc/selinux/
-rw-r—r— root root system_u:object_r:selinux_config_t config
drwxr-xr-x root root system_u:object_r:selinux_config_t strict
drwxr-xr-x root root system_u:object_r:selinux_config_t targeted

When referring to library functions or system calls, we use the convention of including empty parentheses, such as execve(). We also use this convention for policy macros that take arguments, such as domain_auto_trans(). When referring you to the Linux manual page for additional information on a command or function, we use the convention of italics for the command or function and enclose the manual section within parentheses; for example, make(1), execve(2).

Where to Get SELinux

SELinux is supported in several Linux distributions, including Red Hat Enterprise Linux, Red Hat Fedora Core, Gentoo, and Debian. Fedora Core has been the central platform around which the SELinux community has tested and integrated most of its innovations. Red Hat Enterprise Linux, version 4 (RHEL4), is the first large commercial distribution to fully support a version of SELinux. Nearly everything we discuss in this book is relevant to RHEL4 and other Linux distributions.

We chose to base this book on Fedora Core 4 (FC4), which is a version of Fedora Core released after RHEL4. Everything we discuss should work on an FC4 system. During the eight months it took us to write this book, FC4 evolved, was tested, and released. As we finish this book, Fedora Core 5 (FC5) was just released. FC5 incorporates many new SELinux innovations, many of which the authors had a principle role in developing. The new FC5 features are probably a good indicator of what is likely to show up in RHEL5. As much as practical, throughout this book we note new features and capabilities available in FC5 and not in FC4. Also, where applicable, we note features in FC4 that are not supported in the older RHEL4.

If you are an enterprise user or developer, you are likely using RHEL4 or planning to use RHEL5. We currently use RHEL4 for our enterprise developments and products. If you are an SELinux developer or early adopter, you are probably using a version of Fedora Core or some other distribution. In all cases, this book should provide you extensive information about how to use SELinux and develop SELinux policies.

How to Get the Book's Sample Policies

Throughout this book, we give example pieces of SELinux policies. These examples are based on the strict Fedora Core 4 policy as distributed by Red Hat. We discuss this policy in more detail in Chapter 11. FC4 comes standard with a targeted (and not strict) policy, so you must go through additional steps to get the policy upon which our examples are based. In Part III, we broaden our perspective on sample policies to include other types of policies. We provide instructions in Appendix A on how to get the sources for all the various sample policies we discuss in this book.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

Front Matter i

Preface xix

Chapter 1: Background 3

Chapter 2: Concepts 15

Chapter 3: Architecture 39

Chapter 4: Object Classes and Permissions 59

Chapter 5: Type Enforcement 89

Chapter 6: Roles and Users 129

Chapter 7: Constraints 149

Chapyer 8: Multilevel Security 163

Chapter 9: Conditional Policies 183

Chapter 10: Object Labeling 205

Chapter 11: Original Example Policy 239

Chapter 12: Reference Policy 265

Chapter 13: Managing an SELinux System 295

Chapter 14: Writing Policy Modules 325

Appendix A: Obtaining SELinux Sample Policies 363

Appendix B: Participation and Further Information 369

Appendix C: Object Classes and Permissions 375

Appendix D: SELinux Commands and Utilities 401

Index 409

Read More Show Less

Preface

Preface

This book is based on our many years of working with, deploying, and helping evolve Security Enhanced Linux (SELinux). We have also created technical courses on SELinux, and in our teaching experience we have found that it is difficult to introduce entirely new and foreign notions of computer security to a new audience. In this book, we think we achieved a good balance between conceptual overview versus concrete, hands-on examples.

Another challenge with this book is that SELinux is a new technology; although it has been incorporated into mainstream Linux distributions, it is still evolving. We and others have many innovative ongoing research and development projects to enhance SELinux in many ways. In this book, we face the challenge of describing a moving target. Fortunately, the core concepts of SELinux are fairly well established, and at least the kernel portion of the security enhancements are changing at a manageable pace. For the newer work, we describe the emerging technologies we believe are most important.

Audience

This book is primarily aimed at the person who most needs to make use of the security enhancements that SELinux brings to Linux. As you will see, this person is primarily interested in understanding, writing, modifying, and/or managing SELinux policies. You are such a person if you want to use SELinux to enhance the security of your application, system, or network.

To make effective use of this book, you should have a good understanding of Linux/UNIX systems. The more familiar you are with the interworkings of the Linux kernel and key services, the easier it will be for you to understand the security object model that SELinux uses. However, as long as you have good working knowledge of Linux, its conventions, and filesystem layout, and/or its programming paradigms, you should have no problem with the material of this book.

Users of systems that include SELinux (for example, Red Hat Enterprise Linux, Fedora Core, Gentoo, and Debian) will also find this book helpful. Although most users and system administrators will not likely write SELinux policy, understanding the SELinux policy language and security model will give you greater insights into the power of SELinux to afford you greater security.

What You Will Learn

This book is all about writing SELinux security policies to make effective use of the security enhancements SELinux brings to Linux. That sounds simple, but in reality, you have to learn new ideas and understand the SELinux policy language before you can help you understand how to effectively use these enhancements.

We divide the book into three parts around the learning steps you, as a student of SELinux, will traverse. The specific topics are as follows:

  • Part I

    Overview of mandatory access control

    Type enforcement concepts and applications

    SELinux architecture and mechanisms

  • Part II

    Details of the SELinux native policy language syntax and semantics

    Object labeling in SELinux

  • Part III

    Two primary methods developed to build SELinux policies: the example policy and the reference policy

    Impacts of SELinux on system administration

    How to write policy modules for SELinux

Our goal is to help you understand the details involved in SELinux so that you can create secure systems. Given the young nature of SELinux, we necessarily provide you with all the gory details of the low-level policy language. Remember, however, that much work is ongoing to make it easier to build secure systems without knowing all the low-level details. Where appropriate, we discuss this evolving work and help you understand how to write secure policies that can pass the scrutiny of independent review.

Each chapter concludes with a summary of the key points we discuss in the chapter and exercises to reinforce your understanding of these points. Exercises range from thought experiments, to hands-on exploration, to modification of real security policies. They all will help enhance your understanding of SELinux.

Summary of Chapters

We divided this book into three parts, each of which contains several chapters:

Part I, "SELinux Overview." This part provides the background of SELinux evolution and an overview of its security concepts and architecture.

Chapter 1, "Background." In this chapter, we discuss the evolution of access control in operating systems, kinds of access control mechanisms, their strengths and weaknesses, and the kind of access control SELinux brings to Linux.

Chapter 2, "Concepts." In this chapter, we provide a conceptual overview of SELinux security mechanisms in the form of a detailed tutorial. This chapter is a good, concise discussion of the security enhancements SELinux brings to Linux.

Chapter 3, "Architecture." In this chapter, we provide an overview of the SELinux architecture and implementation and an overview of the policy language architecture.

Part II, "SELinux Policy Language." This part contains a detailed description of the entire SELinux policy language syntax and semantics. Each chapter addresses a portion of the language. This part of the book can be viewed as a policy language reference.

Chapter 4, "Object Classes and Permissions." In this chapter, we describe how SELinux controls kernel resources using object classes and defines fine-grained permissions to those object classes.

Chapter 5, "Type Enforcement Policy." In this chapter, we describe all the core policy language rules and statements that enable us to write a type enforcement policy. Type enforcement is the central access control feature of SELinux.

Chapter 6, "Roles and Users." In this chapter, we discuss the SELinux role-based access control mechanism and how roles and users in the policy language support the type enforcement policy.

Chapter 7, "Constraints." In this chapter, we discuss the constraint feature of the SELinux policy language, which is a means to provide restrictions within the policy that support the type of enforcement policy.

Chapter 8, "Multilevel Security." In this chapter, we describe the policy language features that allow for optional multilevel security access controls in addition to the core type of enforcement access controls.

Chapter 9, "Conditional Policies." In this chapter, we discuss an enhancement to the policy language that enables us to make portions of the type enforcement policy conditional on Boolean expressions whose values can be changed during the course of operation on a production system.

Chapter 10, "Object Labeling." In this chapter, we finish our discussion of the policy language by examining how objects are labeled and how we manage those labels in support of SELinux-enhanced access control.

Part III, "Creating and Writing SELinux Security Policies." In this final part, we show you how to make use of the policy language, discussing methods for building security policies and insights into administering an SELinux system and writing and debugging SELinux policy modules.

Chapter 11, "Original Example Policy." In this chapter, we discuss the example policy, which is a method (source files, build tools and conventions, and so on) for building an SELinux policy that has evolved over the years from the original example policy released with SELinux by the National Security Agency. Fedora Core 4 and Red Hat Enterprise Linux come standard with policies based on the example policy.

Chapter 12, "Reference Policy." In this chapter, we discuss a new method for building an SELinux policy that provides all the features of the example policy along with support for emerging SELinux technology. The more recent Fedora Core 5 uses reference policy as its policy foundation.

Chapter 13, "Managing an SELinux System." In this chapter, we discuss how SELinux impacts the administration of a Linux system.

Chapter 14, "Writing Policy Modules." In this final chapter, we bring all that you have learned throughout the book into a guided tour on writing a policy module for both the example and reference policies.

Appendixes. We have included several appendixes with additional reference material:

Appendix A, "Obtaining SELinux Sample Policies." This appendix provides instructions on how to obtain the sample policy source files we discuss in this book.

Appendix B, "Participation and Further Information." This chapter lists sources of additional information on SELinux and describes how you can further participate in the development of SELinux.

Appendix C, "Object Class Reference." This chapter provides a detailed dictionary of all SELinux kernel object classes and associated permissions.

Appendix D, "SELinux Commands and Utilities." This chapter provides a summary of utilities and third-party tools available to help with developing SELinux policies and managing SELinux systems.

How to Use This Book

Rarely does one read a technical book cover to cover. Most people want to understand a particular item or begin exploring the technology as soon as possible. Although reading the book cover to cover is certainly an option, we also recommend an alternative strategy.

Thoroughly read and understand Part I (Chapters 1–3); this part provides you with the necessary background and conceptual insights to understand SELinux. In particular, carefully read and study Chapter 2. You may want to skim Part II (Chapters 4–10) to get a sense of the content of these chapters. These chapters are loaded with the details of the SELinux policy language. For most people, there are too many details to absorb as part of a strategy to first learn about SELinux. As a strategy, you might want to carefully read Chapter 5 and skim Chapters 4 and 10. These chapters cover the SELinux policy language elements that are most used by policy writers. Finally, read the chapters of Part III (Chapters 11–14) that address the issues in which you are interested. Use Part II as a reference as you read these chapters.

Sidebars, Notes, Warnings, and Tips

We make extensive use of sidebars and notes throughout this book to provide additional information or emphasis on certain items. We also include a number of warnings and tips. Following are the conventional purposes for each of these within this book:

  • Sidebars. We use sidebars primarily for two purposes. First, we use them for additional information that is not directly covered within the main text of the chapter. For example, we use sidebars to highlight differences between various versions of SELinux or to discuss in detail a particular concept that might be of interest to the reader. We also use sidebars to document the complete syntax of all SELinux policy language statements throughout Part II. These syntax sidebars provide a quick reference for the various policy language elements.
  • Notes. We use notes to provide additional emphasis on certain points. Usually notes are short items of additional clarification or detail.
  • Warnings. Warnings are used much like notes except that they emphasize something that requires additional caution or strong emphasis.
  • Tips. Tips provide quick hints and suggestions about how to perform a given function or make something easier.

Typographical Conventions

All technical books must use some form of typographical convention to better communicate with the reader. This is especially true due to heavy overloading of terminology, and SELinux is no different. In general, we use italics to introduce a key concept at the point where we define the concept (usually first use or near the first use). We also use italics for emphasis. For a particularly strong point of emphasis, we use a bold font.

Throughout this book, we use a fixed-width font for any SELinux policy language element (allow), user commands (ps, ls), or anything you would type or see on the computer.

For longer listings that show commands and their output, we use the Bourne shell standard prompts of # (for root shells) and $ (for ordinary user shells). User input (that is, something that you type) is also in bold and fix-width fonts in listings. For example:

# ls -lZ /etc/selinux/
-rw-r--r-- root root system_u:object_r:selinux_config_t config
drwxr-xr-x root root system_u:object_r:selinux_config_t strict
drwxr-xr-x root root system_u:object_r:selinux_config_t targeted

When referring to library functions or system calls, we use the convention of including empty parentheses, such as execve(). We also use this convention for policy macros that take arguments, such as domain_auto_trans(). When referring you to the Linux manual page for additional information on a command or function, we use the convention of italics for the command or function and enclose the manual section within parentheses; for example, make(1), execve(2).

Where to Get SELinux

SELinux is supported in several Linux distributions, including Red Hat Enterprise Linux, Red Hat Fedora Core, Gentoo, and Debian. Fedora Core has been the central platform around which the SELinux community has tested and integrated most of its innovations. Red Hat Enterprise Linux, version 4 (RHEL4), is the first large commercial distribution to fully support a version of SELinux. Nearly everything we discuss in this book is relevant to RHEL4 and other Linux distributions.

We chose to base this book on Fedora Core 4 (FC4), which is a version of Fedora Core released after RHEL4. Everything we discuss should work on an FC4 system. During the eight months it took us to write this book, FC4 evolved, was tested, and released. As we finish this book, Fedora Core 5 (FC5) was just released. FC5 incorporates many new SELinux innovations, many of which the authors had a principle role in developing. The new FC5 features are probably a good indicator of what is likely to show up in RHEL5. As much as practical, throughout this book we note new features and capabilities available in FC5 and not in FC4. Also, where applicable, we note features in FC4 that are not supported in the older RHEL4.

If you are an enterprise user or developer, you are likely using RHEL4 or planning to use RHEL5. We currently use RHEL4 for our enterprise developments and products. If you are an SELinux developer or early adopter, you are probably using a version of Fedora Core or some other distribution. In all cases, this book should provide you extensive information about how to use SELinux and develop SELinux policies.

How to Get the Book's Sample Policies

Throughout this book, we give example pieces of SELinux policies. These examples are based on the strict Fedora Core 4 policy as distributed by Red Hat. We discuss this policy in more detail in Chapter 11. FC4 comes standard with a targeted (and not strict) policy, so you must go through additional steps to get the policy upon which our examples are based. In Part III, we broaden our perspective on sample policies to include other types of policies. We provide instructions in Appendix A on how to get the sources for all the various sample policies we discuss in this book.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted September 15, 2006

    germane to your usage?

    If you are a linux or unix user, then you're probably pretty familiar with the permissions settings on files. It's a basic methodology that is essentially unchanged over 20 years or more or unix development. But its shortcomings have been just as well known to unix experts over that time. What Mayer et al demonstrate is that the latest linux 2.6 has a very interesting add-on. SELinux. It is incorporated by default. So if you're running linux 2.6, it's been present all along, hidden in the background. The book describes what it offers. A vastly improved and very granular security model. Based on the concept of type enforcement. It goes way beyond earlier implementations of Mandatory Access Control. The book can be heavy sledding if all this is new to you. Luckily, it describes a neat GUI tool, apol, that you can run as root. It can greatly assist understanding the use and making of rules. Most users and sysadmins of linux machines might still not require the active use of SELinux. There is a considerable investment in time needed, to understand and use it. Plus, most of the examples cited in the book refer to government or classified contexts. Outside these, you have to really ask yourself if it's germane to you.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)