Do you have the crucial job of protecting your private and company systems from malicious attacks and undefined application behavior? Are you looking to secure your Linux systems with improved access controls? Look no further, intrepid administrator! This course will show you how to enhance your system's secure state across Linux distributions, helping you keep application vulnerabilities at bay. This video course covers the core SELinux concepts and shows you how to leverage SELinux to improve the protection measures of a Linux system. You will learn the SELinux fundamentals and all of SELinux's configuration handles including conditional policies, constraints, policy types, and audit capabilities. These topics are paired with genuine examples of situations and issues you will probably come across as an administrator.
About The Author
Sven Vermeulen is a long-term contributor to various free software projects and the author of various online guides and resources. He got his first taste of free software in 1997 and never looked back. In 2003, he joined the ranks of the Gentoo Linux project as a
documentation developer and has since worked in several roles, including Gentoo Foundation trustee, council member, project lead for various documentation initiatives, and (his current role) project lead for Gentoo Hardened SELinux integration and the system integrity project.
During this time, Sven gained expertise in several technologies, ranging from OS-level knowledge to application servers. He used his interest in security to guide his projects further in the areas of security guides using SCAP languages, mandatory access controls through SELinux, authentication with PAM, (application) firewalling, and more.
Within SELinux, Sven contributed several policies to the Reference Policy project, and he is an active participant in policy development and user space development projects.
In his daily job, Sven is an IT architect in a European financial institution as well as a self-employed solution engineer and consultant. The secure implementation of infrastructures (and the surrounding architectural integration) is, of course, an important part of this. Prior to this, he graduated with an MSc in computer engineering from Ghent University and MSc in ICT enterprise architecture, and he worked as a web application infrastructure engineer.
Sven is the main author of the Gentoo Handbook, which covers the installation and configuration of Gentoo Linux on several architectures. He also authored the Linux Sea online publication (a basic introduction to Linux for novice system administrators) and SELinux System Administration and SELinux Cookbook for Packt Publishing.
A Linux user with access to sensitive information could easily leak that out to the public, manipulate the behavior of the application she or she launches, and do many other things that affect the security of the system. This video will show you how you could deal with this risk and provide more security to your system.
This video will show you how you could label the resources objects available to you and decide whether to allow or deny a particular action.
Enabling SELinux does not automatically start the enforcement of access. If SELinux is enabled and it cannot find a policy, it will refuse to start. Let’s see how we could deal with this situation by defining and distributing Policies.
It is recommended to consult the distribution documentation to verify what the proper name of the policy should be. Thus, it’s important to distinguish between Policies. This video will show you how you could do this.
Disabling SELinux is a commonly requested activity. Some vendors do not support their application running on a platform that has SELinux enabled. You will learn through this video how to enable or disable SELinux.
A security-oriented subsystem such as SELinux can only succeed if it is capable of enhanced logging and even debugging. Let’s have a look at this aspect of SELinux.
Although most SELinux log events are AVC related, they aren't the sole event types an administrator will have to deal with. Few event types are directly concerned with SELinux. Let’s have a look at these.
On some distributions, additional support tools are available that help us identify the cause of a denial. These tools have some knowledge of the common mistakes. This video will let you get help from denials.
Once logged in to a system, our user will run inside a certain context. This user context defines the rights and privileges that we, as a user, have on the system. Let’s have a look at how we could set the SELinux contexts.
Within SELinux systems, the moment a user logs in, the login system checks which SELinux user his or her login is mapped to. Hence, it’s crucial to map the user correctly with the exact role. Let’s dive into SELinux users and roles.
We saw how SELinux users define the role(s) that a user can be in. But how does SELinux enforce which role a user logs on through? And when logged on, how can a user switch his active role? Let’s answer to this question with this video.
With all the information about SELinux users and roles, we have not touched upon how exactly applications are able to create and assign a SELinux context to a user. Let’s explore this, through this video.
This video will show you how to use a web-based application deployment as an example: DokuWiki, which is a popular PHP wiki that uses files rather than a database as its backend system and is easy to install and manage.
Now that you are aware that file contexts are stored as extended attributes, how do we ensure that files receive the correct label when they are written or modified? This video will answer this question.
When we think that the context of a file is wrong, we need to correct the context. SELinux offers several methods to do so, and some distributions even add in more. Let’s have a look at these methods.
This video will show you the different approaches which are available for you in SELinux to modify file contexts
As everything in SELinux works with labels, even processes are assigned a label, also known as the domain. Let’s explore the context of a process through this video.
For security reasons, Linux systems can reduce the ability for processes to gain elevated privileges under certain situations or provide additional constraints to reduce the likelihood of vulnerabilities to be exploitable. Let’s see how we could limit the scope of transitions in SELinux.
Now that you know more about types, let's look into how these are used in the SELinux policy in more detail.
Linux applications communicate with each other either directly or over a network. Let's look at the various communication methods that Linux supports and how SELinux aligns with them.
The approach with TCP and UDP ports has a few downsides. One of them is that there is no knowledge of the target host, so you cannot govern where an application can connect to. Let’s see how we could tackle this situation with Linux netfilter and SECMARCK support.
Another approach to further fine-tune the access controls on the network level is to introduce labeled networking. This video will show you how you could implement this approach.
This video will show you, how you could use NetLabel/CIPSO support, to label traffic with sensitivity information and use it across the network.
Packt has been committed to developer learning since 2004. A lot has changed in software since then - but Packt has remained responsive to these changes, continuing to look forward at the trends and tools defining the way we work and live. And how to put them to work.
With an extensive library of content - more than 4000 books and video courses -Packt's mission is to help developers stay relevant in a rapidly changing world. From new web frameworks and programming languages, to cutting edge data analytics, and DevOps, Packt takes software professionals in every field to what's important to them now.
From skills that will help you to develop and future proof your career to immediate solutions to every day tech challenges, Packt is a go-to resource to make you a better, smarter developer.
Packt Udemy courses continue this tradition, bringing you comprehensive yet concise video courses straight from the experts.