ii
Introduction to the Red Hat SELinux Guide
SELinux is implemented in the Linux kernel using the LSM (Linux Security Modules) framework.
This is only the latest implementation of an ongoing project, as detailed in Appendix A Brief Back 
ground and History of SELinux. To support fine grained access control, SELinux implements two
technologies: Type Enforcement  (TE) and a kind of role based access control (RBAC), which are
discussed in Chapter 1 SELinux Architectural Overview.
Type Enforcement involves defining a type for every subject, that is, process, and object on the sys 
tem. These types are defined by the SELinux policy and are contained in security labels on the files
themselves, stored in the extended attributes (xattrs) of the file. When a type is associated with a pro 
cesses, the type is called a domain, as in, "
httpd
is in the domain of
httpd_t
." This is a terminology
difference leftover from other models when domains and types were handled separately.
All interactions between subjects and objects are disallowed by default on an SELinux system. The
policy specifically allows certain operations. To know what to allow, TE uses a matrix of domains
and object types derived from the policy. The matrix is derived from the policy rules. For exam 
ple,
allow httpd_t net_conf_t:file { read getattr lock ioctl };
gives the domain
associated with
httpd
the permissions to read data out of specific network configuration files such as
/etc/resolv.conf
. The matrix clearly defines all the interactions of processes and the targets of
their operations.
Because of this design, SELinux can implement very granular access controls. For Red Hat Enterprise
Linux 4 the policy has been designed to restrict only a specific list of daemons. All other processes
run in an unconfined state. This policy is designed to help integrate SELinux into your development
and production environment. It is possible to have a much more strict policy, which comes with an
increase in maintenance complexity.
2. Prerequisites for This Guide
The technical skills required for this guide are not very extensive. The most important skill to have is
an ability to learn technical theories and put them into practice. It helps if you come into this guide with
an idea of what you want to do, such as administrating a set of common services, making user content
from
/home/
served via Apache HTTP, manipulating policy to get a custom PHP Web application
running, or writing a policy from to enable a custom application to be protected by SELinux. The
following is helpful to have as you read through this guide:
Strong working understanding of Linux, especially Red Hat Enterprise Linux.
If you are going to be administrating services, manipulating or analyzing policy, junior  to mid 
level system administration skills and experience is necessary, such as being a Red Hat Certified
Technician (RHCT) or Red Hat Certified Engineer (RHCE)..
To work with SELinux at that level, you must have the following:
An understanding of traditional Linux/UNIX security.
An understanding of how a Linux/UNIX system operates on a lower level, such as how the kernel
has system calls for various operations (open, close, read, write, ioctl, poll, etc.) An understand 
ing of programming and system theory is useful in writing policy.
A familiarity with the m4 macro language, which is helpful in understanding some parts of the
SELinux policy.
Read many of the NSA papers, listed in Chapter 9 References.
Administrator privileges on the system you have Red Hat Enterprise Linux installed on is neces 
sary to perform many of the operations in this guide. However, there is plenty of useful informa 
tion for end users.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved