Getting started with SELinux System Administration

Name: Getting started with SELinux System Administration
Rating: 4.0 (83 reviews)

Ward off traditional security permissions and effectively secure your Linux systems with SELinux

Created byPackt Publishing

Last updated 5/2017

English

What you'll learn

Analyze SELinux events and selectively enable or disable SELinux enforcement
Manage Linux users and associate them with the right role and permission set
Secure network communications through SELinux access controls
Tune full-service flexibility by dynamically assigning resource labels

Course content

5 sections • 24 lectures • 3h 20m total length

The Course Overview3:51
This video gives an overview of the entire course.
Providing More Security to Linux12:37
A Linux user with access to sensitive information could easily leak that out to the public, manipulate the behavior of the application she or she launches, and do many other things that affect the security of the system. This video will show you how you could deal with this risk and provide more security to your system.
Labeling All Resources and Objects14:08
This video will show you how you could label the resources objects available to you and decide whether to allow or deny a particular action.
Defining and Distributing Policies8:07
Enabling SELinux does not automatically start the enforcement of access. If SELinux is enabled and it cannot find a policy, it will refuse to start. Let’s see how we could deal with this situation by defining and distributing Policies.
Distinguishing Between Policies7:30
It is recommended to consult the distribution documentation to verify what the proper name of the policy should be. Thus, it’s important to distinguish between Policies. This video will show you how you could do this.

Switching SELinux On and Off13:08
Disabling SELinux is a commonly requested activity. Some vendors do not support their application running on a platform that has SELinux enabled. You will learn through this video how to enable or disable SELinux.
SELinux Logging and Auditing12:30
A security-oriented subsystem such as SELinux can only succeed if it is capable of enhanced logging and even debugging. Let’s have a look at this aspect of SELinux.
Other SELinux-Related Event Types7:19
Although most SELinux log events are AVC related, they aren't the sole event types an administrator will have to deal with. Few event types are directly concerned with SELinux. Let’s have a look at these.
Getting Help with Denials6:20
On some distributions, additional support tools are available that help us identify the cause of a denial. These tools have some knowledge of the common mistakes. This video will let you get help from denials.

User-Oriented SELinux Contexts6:41
Once logged in to a system, our user will run inside a certain context. This user context defines the rights and privileges that we, as a user, have on the system. Let’s have a look at how we could set the SELinux contexts.
SELinux Users and Roles13:44
Within SELinux systems, the moment a user logs in, the login system checks which SELinux user his or her login is mapped to. Hence, it’s crucial to map the user correctly with the exact role. Let’s dive into SELinux users and roles.
Handling SELinux Roles9:45
We saw how SELinux users define the role(s) that a user can be in. But how does SELinux enforce which role a user logs on through? And when logged on, how can a user switch his active role? Let’s answer to this question with this video.
SELinux and PAM5:11
With all the information about SELinux users and roles, we have not touched upon how exactly applications are able to create and assign a SELinux context to a user. Let’s explore this, through this video.

About SELinux file Contexts5:21
This video will show you how to use a web-based application deployment as an example: DokuWiki, which is a popular PHP wiki that uses files rather than a database as its backend system and is easy to install and manage.
Keeping or Ignoring Contexts13:16
Now that you are aware that file contexts are stored as extended attributes, how do we ensure that files receive the correct label when they are written or modified? This video will answer this question.
SELinux File Context Expressions10:30
When we think that the context of a file is wrong, we need to correct the context. SELinux offers several methods to do so, and some distributions even add in more. Let’s have a look at these methods.
Modifying File Contexts4:44
This video will show you the different approaches which are available for you in SELinux to modify file contexts
The Context of a Process6:29
As everything in SELinux works with labels, even processes are assigned a label, also known as the domain. Let’s explore the context of a process through this video.
Limiting the Scope of Transitions2:03
For security reasons, Linux systems can reduce the ability for processes to gain elevated privileges under certain situations or provide additional constraints to reduce the likelihood of vulnerabilities to be exploitable. Let’s see how we could limit the scope of transitions in SELinux.
Types, Permissions, and Constraints6:40
Now that you know more about types, let's look into how these are used in the SELinux policy in more detail.

From IPC to TCP and UDP Sockets9:49
Linux applications communicate with each other either directly or over a network. Let's look at the various communication methods that Linux supports and how SELinux aligns with them.
Linux netfilter and SECMARK Support5:56
The approach with TCP and UDP ports has a few downsides. One of them is that there is no knowledge of the target host, so you cannot govern where an application can connect to. Let’s see how we could tackle this situation with Linux netfilter and SECMARCK support.
Labeled Networking7:20
Another approach to further fine-tune the access controls on the network level is to introduce labeled networking. This video will show you how you could implement this approach.
Using Netlabel/CIPSO7:25
This video will show you, how you could use NetLabel/CIPSO support, to label traffic with sensitivity information and use it across the network.

Requirements

This course offers a complete overview of SELinux administration and how it integrates with other components on a Linux system. It covers the majority of SELinux features with a mix of real-life scenarios, descriptions, and examples. This course contains everything an administrator needs to customize SELinux.

Description

Do you have the crucial job of protecting your private and company systems from malicious attacks and undefined application behavior? Are you looking to secure your Linux systems with improved access controls? Look no further, intrepid administrator! This course will show you how to enhance your system's secure state across Linux distributions, helping you keep application vulnerabilities at bay. This video course covers the core SELinux concepts and shows you how to leverage SELinux to improve the protection measures of a Linux system. You will learn the SELinux fundamentals and all of SELinux's configuration handles including conditional policies, constraints, policy types, and audit capabilities. These topics are paired with genuine examples of situations and issues you will probably come across as an administrator.

About The Author

Sven Vermeulen is a long-term contributor to various free software projects and the author of various online guides and resources. He got his first taste of free software in 1997 and never looked back. In 2003, he joined the ranks of the Gentoo Linux project as a
documentation developer and has since worked in several roles, including Gentoo Foundation trustee, council member, project lead for various documentation initiatives, and (his current role) project lead for Gentoo Hardened SELinux integration and the system integrity project.

During this time, Sven gained expertise in several technologies, ranging from OS-level knowledge to application servers. He used his interest in security to guide his projects further in the areas of security guides using SCAP languages, mandatory access controls through SELinux, authentication with PAM, (application) firewalling, and more.

Within SELinux, Sven contributed several policies to the Reference Policy project, and he is an active participant in policy development and user space development projects.

In his daily job, Sven is an IT architect in a European financial institution as well as a self-employed solution engineer and consultant. The secure implementation of infrastructures (and the surrounding architectural integration) is, of course, an important part of this. Prior to this, he graduated with an MSc in computer engineering from Ghent University and MSc in ICT enterprise architecture, and he worked as a web application infrastructure engineer.

Sven is the main author of the Gentoo Handbook, which covers the installation and configuration of Gentoo Linux on several architectures. He also authored the Linux Sea online publication (a basic introduction to Linux for novice system administrators) and SELinux System Administration and SELinux Cookbook for Packt Publishing.

Who this course is for:

This video course is for Linux administrators who want to control the secure state of their systems. It's packed with the latest information on SELinux operations and administrative procedures so you'll be able to further harden your system through Mandatory Access Control (MAC), a security strategy that has been shaping Linux security for years.

Getting started with SELinux System Administration

What you'll learn

Explore related topics

Course content

Fundamental SELinux Concepts5 lectures • 46min

Understanding SELinux Decisions and Logging4 lectures • 39min

Managing User Logins4 lectures • 35min

Process Domains and File-Level Access Controls7 lectures • 49min

Controlling Network Communications4 lectures • 31min

Requirements

Description

Who this course is for: