Important: You are required to change your passwords used for Gentoo services and set an email address for your Wiki account if you haven't done so. See the full announcement and Wiki email policy change for more information.

SELinux/Tutorials

From Gentoo Wiki
Jump to: navigation, search

Gentoo Hardened SELinux Tutorials

SELinux is sometimes seen as a daunting additional security measure on a Linux system. And it probably is, since it requires the users to have some non-basic knowledge of Linux and what SELinux is. In this series of tutorials, we will try to teach you what SELinux is, how you can work with it, how to configure it to your needs, etc.

Throughout the tutorials, we will assume you have access to a SELinux enabled system. This can be a RedHat Enterprise Linux (6 or higher) system, a Fedora system, CentOS, Gentoo Hardened and more. If you can get it to boot, you can even use the selinuxnode (experimental) SELinux-enabled live environment (KVM/Qemu guest) offered through Gentoo's mirrors (in the experimental/amd64/qemu-selinux location).

Within each tutorial, we will try to guide you through new vocabulary used by SELinux, changes compared to a regular Linux system, and more. At the end of each tutorial, you will find a What you need to remember part. This is a quick reference of what the tutorial is about, and might help you in the future to remember some stuff without having to read the entire tutorial again.

So, let's get started.

Introduction to SELinux

This first set of tutorials are an introduction to SELinux. They cover basic SELinux stuff and do not focus on Gentoo specifics (or at least not too much), so they are reusable for other SELinux-enabled distributions as well.

  1. The security context of a process
  2. How SELinux controls file and directory accesses
  3. Where to find SELinux permission denial details
  4. Controlling file contexts yourself
  5. How does a process get into a certain context
  6. Using SELinux booleans
  7. Working with customizable types
  8. Permissive versus enforcing
  9. What is this unconfined thingie (and tell me about attributes)
  10. How is the policy provided and loaded
  11. The purpose of SELinux roles
  12. Defining SELinux users
  13. Linux services and the system_u SELinux user
  14. Putting constraints on operations
  15. SELinux Multi-Level Security
  16. SELinux Multi-Category Security
  17. Managing network port labels

Customizing SELinux policies

This set of tutorials focuses on customizing SELinux policies. It focuses on SELinux policy development from an operational point of view, starting with simple small policy enhancements and incrementally increasing the amount of features (and perhaps complexity?) used therein.

  1. Creating your own policy module file
  2. Using Gentoo selocal for small policy enhancements
  3. Creating a daemon domain