Table of Contents
SELinux Cookbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. The SELinux Development Environment
Introduction
About SELinux
The role of the SELinux policy
The example
Creating the development environment
Getting ready
How to do itā¦
How it worksā¦
There's more...
See also
Building a simple SELinux module
Getting ready
How to do itā¦
How it worksā¦
The policy source file
The binary policy module
Loading a policy into the policy store
There's more...
See also
Calling refpolicy interfaces
How to do itā¦
How it worksā¦
See also
Creating our own interface
How to do itā¦
How it worksā¦
The location of the interface definitions
The in-line documentation
See also
Using the refpolicy naming convention
Getting ready
How to do itā¦
How it worksā¦
There's more...
Distributing SELinux policy modules
How to do itā¦
How it worksā¦
Changes in interfaces
Kernel version changes
MLS or not
2. Dealing with File Labels
Introduction
Defining file contexts through patterns
How to do itā¦
How it worksā¦
Path expressions
The order of processing
Class identifiers
Context declaration
There's more...
Using substitution definitions
Getting ready
How to do itā¦
How it worksā¦
There's more...
See also
Enhancing an SELinux policy with file transitions
Getting ready
How to do itā¦
How it worksā¦
Finding the right search pattern
Patterns
There's more...
See also
Setting resource-sensitivity labels
How to do itā¦
How it worksā¦
Full policy replacement
Ranged daemon domain
Constraints
See also
Configuring sensitivity categories
Getting ready
How to do itā¦
How it worksā¦
The mcstrans and setrans.conf files
SELinux users and Linux user mappings
Running Apache with the right context
See also
3. Confining Web Applications
Introduction
Listing conditional policy support
How to do itā¦
How it works...
See also
Enabling user directory support
Getting ready
How to do itā¦
How it works...
There's more...
See also
Assigning web content types
How to do itā¦
How it works
There's more...
Using different web server ports
How to do itā¦
How it works...
There's more...
See also
Using custom content types
Getting ready
How to do itā¦
How it works...
There's more...
Creating a custom CGI domain
How to do itā¦
How it works...
Setting up mod_selinux
How to do itā¦
How it works...
See also
Starting Apache with limited clearance
How to do itā¦
How it works...
There's more...
Mapping HTTP users to contexts
How to do itā¦
How it works...
Using source address mapping to decide on contexts
How to do itā¦
How it works...
There's more...
See also
Separating virtual hosts with mod_selinux
How to do itā¦
How it works...
See also
4. Creating a Desktop Application Policy
Introduction
Researching the application's logical design
How to do itā¦
How it worksā¦
Files and directories
Network resources
Processes
Hardware and kernel resources
Creating a skeleton policy
How to do itā¦
How it worksā¦
Type declarations
Managing files and directories
X11 and shared memory
The network access
There's more...
See also
Setting context definitions
How to do itā¦
How it worksā¦
Defining application role interfaces
How to do itā¦
How it worksā¦
There's more...
Testing and enhancing the policy
How to do itā¦
How it worksā¦
Ignoring permissions we don't need
How to do itā¦
How it worksā¦
Creating application resource interfaces
How to do itā¦
How it worksā¦
Adding conditional policy rules
How to do itā¦
How it worksā¦
There's more...
Adding build-time policy decisions
How to do itā¦
How it worksā¦
There's more...
5. Creating a Server Policy
Introduction
Understanding the service
How to do itā¦
How it worksā¦
Online research
Sandbox environment
The structural documentation
See also
Choosing resource types wisely
How to do itā¦
How it worksā¦
Domain definitions
Logical resources
Infrastructural resources
Differentiating policies based on use cases
How to do itā¦
How it worksā¦
Creating resource-access interfaces
How to do itā¦
How it worksā¦
Creating exec, run, and transition interfaces
How to do itā¦
How it worksā¦
See also
Creating a stream-connect interface
How to do itā¦
For a Unix domain socket with a socket file
For an abstract Unix domain socket
How it worksā¦
Creating the administrative interface
How to do itā¦
How it worksā¦
See also
6. Setting Up Separate Roles
Introduction
Managing SELinux users
How to do itā¦
How it worksā¦
There's more...
Mapping Linux users to SELinux users
How to do itā¦
How it worksā¦
Running commands in a specified role with sudo
How to do itā¦
How it worksā¦
See also
Running commands in a specified role with runcon
How to do itā¦
How it worksā¦
Switching roles
How to do itā¦
How it worksā¦
Creating a new role
How to do itā¦
How it worksā¦
Defining a role in the policy
Extending the role privileges
Default types and default contexts
Initial role based on entry
How to do itā¦
How it worksā¦
Defining role transitions
How to do itā¦
How it worksā¦
Looking into access privileges
How to do itā¦
How it worksā¦
Direct access inspection
Policy manipulation
Indirect access
7. Choosing the Confinement Level
Introduction
Finding common resources
How to do itā¦
How it worksā¦
Shared file locations
User content and customizable types
There's more...
Defining common helper domains
How to do itā¦
How it worksā¦
Documenting common privileges
How to do itā¦
How it worksā¦
Granting privileges to all clients
How to do itā¦
How it worksā¦
Creating a generic application domain
...