SELinux is sometimes seen as a daunting additional security measure on a Linux system. And it probably is, since it requires the users to have some non-basic knowledge of both Linux and SELinux. This series of tutorials attempts to teach the basics of how to work with and configure SELinux.
Throughout the tutorials, we will assume you have access to a SELinux enabled system. This can be a RedHat Enterprise Linux (6 or higher) system, a Fedora system, CentOS, Gentoo Hardened, and etc. If you can get it to boot, you can even use the selinuxnode (experimental) SELinux-enabled live environment (KVM/Qemu guest) offered through Gentoo's mirrors (in the experimental/amd64/qemu-selinux location).
Within each tutorial, we will try to guide you through new vocabulary used by SELinux, changes compared to a regular Linux system, and more. At the end of each tutorial, you will find a What you need to remember part. This is a quick reference of what the tutorial is about, and might help you in the future to remember some stuff without having to read the entire tutorial again.
So, let's get started.
Introduction to SELinux
This first set of tutorials are an introduction to SELinux. They cover basic SELinux stuff and do not focus on Gentoo specifics (or at least not too much), so they are reusable for other SELinux-enabled distributions as well.
- The security context of a process
- How SELinux controls file and directory accesses
- Where to find SELinux permission denial details
- Controlling file contexts yourself
- How does a process get into a certain context
- Using SELinux booleans
- Working with customizable types
- Permissive versus enforcing
- What is this unconfined thingie (and tell me about attributes)
- How is the policy provided and loaded
- The purpose of SELinux roles
- Defining SELinux users
- Linux services and the system_u SELinux user
- Putting constraints on operations
- SELinux Multi-Level Security
- SELinux Multi-Category Security
- Managing network port labels
Customizing SELinux policies
This set of tutorials focuses on customizing SELinux policies. It focuses on SELinux policy development from an operational point of view, starting with simple small policy enhancements and incrementally increasing the amount of features (and perhaps complexity?) used therein.