From Gentoo Wiki
Jump to:navigation Jump to:search
This page contains changes which are not marked for translation.

SELinux is sometimes seen as a daunting additional security measure on a Linux system. And it probably is, since it requires the users to have some non-basic knowledge of both Linux and SELinux. This series of tutorials attempts to teach the basics of how to work with and configure SELinux.

Throughout the tutorials, we will assume you have access to a SELinux enabled system. This can be a RedHat Enterprise Linux (6 or higher) system, a Fedora system, CentOS, Gentoo Hardened, and etc. If you can get it to boot, you can even use the selinuxnode (experimental) SELinux-enabled live environment (KVM/Qemu guest) offered through Gentoo's mirrors (in the experimental/amd64/qemu-selinux location).

Within each tutorial, we will try to guide you through new vocabulary used by SELinux, changes compared to a regular Linux system, and more. At the end of each tutorial, you will find a What you need to remember part. This is a quick reference of what the tutorial is about, and might help you in the future to remember some stuff without having to read the entire tutorial again.

So, let's get started.

Introduction to SELinux

This first set of tutorials are an introduction to SELinux. They cover basic SELinux stuff and do not focus on Gentoo specifics (or at least not too much), so they are reusable for other SELinux-enabled distributions as well.

  1. The security context of a process
  2. How SELinux controls file and directory accesses
  3. Where to find SELinux permission denial details
  4. Controlling file contexts yourself
  5. How does a process get into a certain context
  6. Using SELinux booleans
  7. Working with customizable types
  8. Permissive versus enforcing
  9. What is this unconfined thingie (and tell me about attributes)
  10. How is the policy provided and loaded
  11. The purpose of SELinux roles
  12. Defining SELinux users
  13. Linux services and the system_u SELinux user
  14. Putting constraints on operations
  15. SELinux Multi-Level Security
  16. SELinux Multi-Category Security
  17. Managing network port labels

Customizing SELinux policies

This set of tutorials focuses on customizing SELinux policies. It focuses on SELinux policy development from an operational point of view, starting with simple small policy enhancements and incrementally increasing the amount of features (and perhaps complexity?) used therein.

  1. Creating your own policy module file
  2. Using Gentoo selocal for small policy enhancements
  3. Creating a daemon domain
  4. Creating a user domain