SELinux by Example: Using Security Enhanced Linux by Frank MayerSELinux by Example: Using Security Enhanced Linux by Frank Mayer

SELinux by Example: Using Security Enhanced Linux

byFrank Mayer, Karl Macmillan, David Caplan

Paperback | July 27, 2006

Pricing and Purchase Info


Earn 263 plum® points

Prices and offers may vary in store


In stock online

Ships free on orders over $25

Not available in stores


SELinux: Bring World-Class Security to Any Linux Environment!


SELinux offers Linux/UNIX integrators, administrators, and developers a state-of-the-art platform for building and maintaining highly secure solutions. Now that SELinux is included in the Linux 2.6 kernel—and delivered by default in Fedora Core, Red Hat Enterprise Linux, and other major distributions—it’s easier than ever to take advantage
of its benefits.


SELinux by Example is the first complete, hands-on guide to using SELinux in production environments. Authored by three leading SELinux researchers and developers, it illuminates every facet of working with SELinux, from its architecture and security object model to its policy language. The book thoroughly explains SELinux sample policies— including the powerful new Reference Policy—showing how to quickly adapt them to your unique environment. It also contains a comprehensive SELinux policy language reference and covers exciting new features in Fedora Core 5 and the upcoming Red Hat Enterprise Linux version 5.


• Thoroughly understand SELinux’s access control and security mechanisms

• Use SELinux to construct secure systems from the ground up

• Gain fine-grained control over kernel resources

• Write policy statements for type enforcement, roles, users, and constraints

• Use optional multilevel security to enforce information classification and manage users with diverse clearances

• Create conditional policies that can be changed on-the-fly

• Define, manage, and maintain SELinux security policies

• Develop and write new SELinux security policy modules

• Leverage emerging SELinux technologies to gain even greater flexibility

• Effectively administer any SELinux system

Frank Mayer is cofounder and Chief Technology Officer of Tresys Technology, and has 23 years of experience in the design, development, and analysis of secure oper­ating systems. He has been an active contributor to SELinux for six years, and has initiated and participated in the development of many new SELinux innovations and tools. H...
Title:SELinux by Example: Using Security Enhanced LinuxFormat:PaperbackDimensions:456 pages, 9 × 7 × 1.1 inPublished:July 27, 2006Publisher:Pearson EducationLanguage:English

The following ISBNs are associated with this title:

ISBN - 10:0131963694

ISBN - 13:9780131963696


Read from the Book

Preface This book is based on our many years of working with, deploying, and helping evolve Security Enhanced Linux (SELinux). We have also created technical courses on SELinux, and in our teaching experience we have found that it is difficult to introduce entirely new and foreign notions of computer security to a new audience. In this book, we think we achieved a good balance between conceptual overview versus concrete, hands-on examples. Another challenge with this book is that SELinux is a new technology; although it has been incorporated into mainstream Linux distributions, it is still evolving. We and others have many innovative ongoing research and development projects to enhance SELinux in many ways. In this book, we face the challenge of describing a moving target. Fortunately, the core concepts of SELinux are fairly well established, and at least the kernel portion of the security enhancements are changing at a manageable pace. For the newer work, we describe the emerging technologies we believe are most important. Audience This book is primarily aimed at the person who most needs to make use of the security enhancements that SELinux brings to Linux. As you will see, this person is primarily interested in understanding, writing, modifying, and/or managing SELinux policies. You are such a person if you want to use SELinux to enhance the security of your application, system, or network. To make effective use of this book, you should have a good understanding of Linux/UNIX systems. The more familiar you are with the interworkings of the Linux kernel and key services, the easier it will be for you to understand the security object model that SELinux uses. However, as long as you have good working knowledge of Linux, its conventions, and filesystem layout, and/or its programming paradigms, you should have no problem with the material of this book. Users of systems that include SELinux (for example, Red Hat Enterprise Linux, Fedora Core, Gentoo, and Debian) will also find this book helpful. Although most users and system administrators will not likely write SELinux policy, understanding the SELinux policy language and security model will give you greater insights into the power of SELinux to afford you greater security. What You Will Learn This book is all about writing SELinux security policies to make effective use of the security enhancements SELinux brings to Linux. That sounds simple, but in reality, you have to learn new ideas and understand the SELinux policy language before you can help you understand how to effectively use these enhancements. We divide the book into three parts around the learning steps you, as a student of SELinux, will traverse. The specific topics are as follows: Part I Overview of mandatory access control Type enforcement concepts and applications SELinux architecture and mechanisms Part II Details of the SELinux native policy language syntax and semantics Object labeling in SELinux Part III Two primary methods developed to build SELinux policies: the example policy and the reference policy Impacts of SELinux on system administration How to write policy modules for SELinux Our goal is to help you understand the details involved in SELinux so that you can create secure systems. Given the young nature of SELinux, we necessarily provide you with all the gory details of the low-level policy language. Remember, however, that much work is ongoing to make it easier to build secure systems without knowing all the low-level details. Where appropriate, we discuss this evolving work and help you understand how to write secure policies that can pass the scrutiny of independent review. Each chapter concludes with a summary of the key points we discuss in the chapter and exercises to reinforce your understanding of these points. Exercises range from thought experiments, to hands-on exploration, to modification of real security policies. They all will help enhance your understanding of SELinux. Summary of Chapters We divided this book into three parts, each of which contains several chapters: Part I, "SELinux Overview." This part provides the background of SELinux evolution and an overview of its security concepts and architecture. Chapter 1, "Background." In this chapter, we discuss the evolution of access control in operating systems, kinds of access control mechanisms, their strengths and weaknesses, and the kind of access control SELinux brings to Linux. Chapter 2, "Concepts." In this chapter, we provide a conceptual overview of SELinux security mechanisms in the form of a detailed tutorial. This chapter is a good, concise discussion of the security enhancements SELinux brings to Linux. Chapter 3, "Architecture." In this chapter, we provide an overview of the SELinux architecture and implementation and an overview of the policy language architecture. Part II, "SELinux Policy Language." This part contains a detailed description of the entire SELinux policy language syntax and semantics. Each chapter addresses a portion of the language. This part of the book can be viewed as a policy language reference. Chapter 4, "Object Classes and Permissions." In this chapter, we describe how SELinux controls kernel resources using object classes and defines fine-grained permissions to those object classes. Chapter 5, "Type Enforcement Policy." In this chapter, we describe all the core policy language rules and statements that enable us to write a type enforcement policy. Type enforcement is the central access control feature of SELinux. Chapter 6, "Roles and Users." In this chapter, we discuss the SELinux role-based access control mechanism and how roles and users in the policy language support the type enforcement policy. Chapter 7, "Constraints." In this chapter, we discuss the constraint feature of the SELinux policy language, which is a means to provide restrictions within the policy that support the type of enforcement policy. Chapter 8, "Multilevel Security." In this chapter, we describe the policy language features that allow for optional multilevel security access controls in addition to the core type of enforcement access controls. Chapter 9, "Conditional Policies." In this chapter, we discuss an enhancement to the policy language that enables us to make portions of the type enforcement policy conditional on Boolean expressions whose values can be changed during the course of operation on a production system. Chapter 10, "Object Labeling." In this chapter, we finish our discussion of the policy language by examining how objects are labeled and how we manage those labels in support of SELinux-enhanced access control. Part III, "Creating and Writing SELinux Security Policies." In this final part, we show you how to make use of the policy language, discussing methods for building security policies and insights into administering an SELinux system and writing and debugging SELinux policy modules. Chapter 11, "Original Example Policy." In this chapter, we discuss the example policy, which is a method (source files, build tools and conventions, and so on) for building an SELinux policy that has evolved over the years from the original example policy released with SELinux by the National Security Agency. Fedora Core 4 and Red Hat Enterprise Linux come standard with policies based on the example policy. Chapter 12, "Reference Policy." In this chapter, we discuss a new method for building an SELinux policy that provides all the features of the example policy along with support for emerging SELinux technology. The more recent Fedora Core 5 uses reference policy as its policy foundation. Chapter 13, "Managing an SELinux System." In this chapter, we discuss how SELinux impacts the administration of a Linux system. Chapter 14, "Writing Policy Modules." In this final chapter, we bring all that you have learned throughout the book into a guided tour on writing a policy module for both the example and reference policies. Appendixes. We have included several appendixes with additional reference material: Appendix A, "Obtaining SELinux Sample Policies." This appendix provides instructions on how to obtain the sample policy source files we discuss in this book. Appendix B, "Participation and Further Information." This chapter lists sources of additional information on SELinux and describes how you can further participate in the development of SELinux. Appendix C, "Object Class Reference." This chapter provides a detailed dictionary of all SELinux kernel object classes and associated permissions. Appendix D, "SELinux Commands and Utilities." This chapter provides a summary of utilities and third-party tools available to help with developing SELinux policies and managing SELinux systems. How to Use This Book Rarely does one read a technical book cover to cover. Most people want to understand a particular item or begin exploring the technology as soon as possible. Although reading the book cover to cover is certainly an option, we also recommend an alternative strategy. Thoroughly read and understand Part I (Chapters 1–3); this part provides you with the necessary background and conceptual insights to understand SELinux. In particular, carefully read and study Chapter 2. You may want to skim Part II (Chapters 4–10) to get a sense of the content of these chapters. These chapters are loaded with the details of the SELinux policy language. For most people, there are too many details to absorb as part of a strategy to first learn about SELinux. As a strategy, you might want to carefully read Chapter 5 and skim Chapters 4 and 10. These chapters cover the SELinux policy language elements that are most used by policy writers. Finally, read the chapters of Part III (Chapters 11–14) that address the issues in which you are interested. Use Part II as a reference as you read these chapters. Sidebars, Notes, Warnings, and Tips We make extensive use of sidebars and notes throughout this book to provide additional information or emphasis on certain items. We also include a number of warnings and tips. Following are the conventional purposes for each of these within this book: Sidebars. We use sidebars primarily for two purposes. First, we use them for additional information that is not directly covered within the main text of the chapter. For example, we use sidebars to highlight differences between various versions of SELinux or to discuss in detail a particular concept that might be of interest to the reader. We also use sidebars to document the complete syntax of all SELinux policy language statements throughout Part II. These syntax sidebars provide a quick reference for the various policy language elements. Notes. We use notes to provide additional emphasis on certain points. Usually notes are short items of additional clarification or detail. Warnings. Warnings are used much like notes except that they emphasize something that requires additional caution or strong emphasis. Tips. Tips provide quick hints and suggestions about how to perform a given function or make something easier. Typographical Conventions All technical books must use some form of typographical convention to better communicate with the reader. This is especially true due to heavy overloading of terminology, and SELinux is no different. In general, we use italics to introduce a key concept at the point where we define the concept (usually first use or near the first use). We also use italics for emphasis. For a particularly strong point of emphasis, we use a bold font. Throughout this book, we use a fixed-width font for any SELinux policy language element (allow), user commands (ps, ls), or anything you would type or see on the computer. For longer listings that show commands and their output, we use the Bourne shell standard prompts of # (for root shells) and $ (for ordinary user shells). User input (that is, something that you type) is also in bold and fix-width fonts in listings. For example: # ls -lZ /etc/selinux/ -rw-r--r-- root root system_u:object_r:selinux_config_t config drwxr-xr-x root root system_u:object_r:selinux_config_t strict drwxr-xr-x root root system_u:object_r:selinux_config_t targeted When referring to library functions or system calls, we use the convention of including empty parentheses, such as execve(). We also use this convention for policy macros that take arguments, such as domain_auto_trans(). When referring you to the Linux manual page for additional information on a command or function, we use the convention of italics for the command or function and enclose the manual section within parentheses; for example, make(1), execve(2). Where to Get SELinux SELinux is supported in several Linux distributions, including Red Hat Enterprise Linux, Red Hat Fedora Core, Gentoo, and Debian. Fedora Core has been the central platform around which the SELinux community has tested and integrated most of its innovations. Red Hat Enterprise Linux, version 4 (RHEL4), is the first large commercial distribution to fully support a version of SELinux. Nearly everything we discuss in this book is relevant to RHEL4 and other Linux distributions. We chose to base this book on Fedora Core 4 (FC4), which is a version of Fedora Core released after RHEL4. Everything we discuss should work on an FC4 system. During the eight months it took us to write this book, FC4 evolved, was tested, and released. As we finish this book, Fedora Core 5 (FC5) was just released. FC5 incorporates many new SELinux innovations, many of which the authors had a principle role in developing. The new FC5 features are probably a good indicator of what is likely to show up in RHEL5. As much as practical, throughout this book we note new features and capabilities available in FC5 and not in FC4. Also, where applicable, we note features in FC4 that are not supported in the older RHEL4. If you are an enterprise user or developer, you are likely using RHEL4 or planning to use RHEL5. We currently use RHEL4 for our enterprise developments and products. If you are an SELinux developer or early adopter, you are probably using a version of Fedora Core or some other distribution. In all cases, this book should provide you extensive information about how to use SELinux and develop SELinux policies. How to Get the Book's Sample Policies Throughout this book, we give example pieces of SELinux policies. These examples are based on the strict Fedora Core 4 policy as distributed by Red Hat. We discuss this policy in more detail in Chapter 11. FC4 comes standard with a targeted (and not strict) policy, so you must go through additional steps to get the policy upon which our examples are based. In Part III, we broaden our perspective on sample policies to include other types of policies. We provide instructions in Appendix A on how to get the sources for all the various sample policies we discuss in this book. © Copyright Pearson Education. All rights reserved.

Table of Contents

Front Matter    i

Preface    xix

Chapter 1: Background    3

Chapter 2: Concepts    15

Chapter 3: Architecture    39

Chapter 4: Object Classes and Permissions    59

Chapter 5: Type Enforcement    89

Chapter 6: Roles and Users    129

Chapter 7: Constraints    149

Chapyer 8: Multilevel Security    163

Chapter 9: Conditional Policies    183

Chapter 10: Object Labeling    205

Chapter 11: Original Example Policy    239

Chapter 12: Reference Policy    265

Chapter 13: Managing an SELinux System    295

Chapter 14: Writing Policy Modules    325

Appendix A: Obtaining SELinux Sample Policies    363

Appendix B: Participation and Further Information    369

Appendix C: Object Classes and Permissions    375

Appendix D: SELinux Commands and Utilities    401

Index    409

Editorial Reviews

"The three authors are well versed in the topic and comprise the best team to write on SELinux that you could find. Even though it is written as a straightforward text - as opposed to a study guide - I appreciate how each chapter ends with a summary and then exercises to reinforce what you've just finished reading. "--Emmett Dulaney, Editor,   "This is a very good book and is easily the best I've seen yet on the subject of SELinux. If you've been tasked with maintaining an SELinux-enabled machine, would like to write or enhance existing SELinux policy, or just want to understand what SELinux is and how it came to be, then this is the book for you. "--Ryan Maple, Reviewer,