Paranoid Penguin - Introduction to SELinux, Part II
The comprehensive “deny-by-default” policy originally developed for Fedora Core 2, called strict, is still maintained for RHEL, Fedora and CentOS, and it can be installed instead of targeted. However, strict is not officially (commercially) supported in RHEL due to its complexity. On most systems, this policy takes a lot of manual tweaking, both by editing the files in /etc/selinux and by using the standard SELinux commands chcon, checkpolicy, getenforce, newrole, run_init, setenforce and setfiles.
Note that Tresys (www.tresys.com) maintains a suite of free, mainly GUI-based, SELinux tools that are a bit easier to use, including SePCuT, SeUser, Apol and SeAudit. These are provided by RHEL's setools RPM package. Note also that on non-Red-Hat-derived Linux distributions, SELinux policies usually reside in /etc/security/selinux.
To customize and use the strict policy on RHEL 4, see Russell Coker's tutorial “Introduction to SELinux on Red Hat Enterprise Linux 4” (see Resources). You need to install the package selinux-policy-strict, available in Fedora's rawhide repository (the selinux-policy-strict package in Fedora Core 5 or 6 may also work in RHEL 4).
It's also possible, of course, to develop and enable your own SELinux policies from scratch, though doing that is well beyond the scope of this article. In fact, entire books have been written on this topic. See Resources for information on SELinux policy creation and customization.
And with that, I hope you're off to a good start with SELinux. Be safe!
Faye and Russell Coker's article “Taking advantage of SELinux in Red Hat Enterprise Linux”: www.redhat.com/magazine/006apr05/features/selinux
McCarty, Bill. SELinux: NSA's Open Source Security Enhanced Linux. Sebastopol, CA: O'Reilly Media, 2005. Definitive resource, but predates Red Hat and Fedora's implementation of targeted and strict policies.
Mayer, Frank, Karl MacMillan and David Caplan. SELinux by Example: Using Security Enhanced Linux. Upper Saddle River, NJ: Prentice Hall, 2007. Brand-new book, by several SELinux contributors.
Chad Hanson's paper “SELinux and MLS: Putting the Pieces Together”: selinux-symposium.org/2006/papers/03-SELinux-and-MLS.pdf
“Red Hat Enterprise Linux 4: Red Hat SELinux Guide”: www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/index.html
Russell Coker's tutorial “Introduction to SELinux on Red Hat Enterprise Linux 4”: www.coker.com.au/selinux/talks/rh-2005/rhel4-tut.html
Mick Bauer (email@example.com) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- RSS Feeds
- Tech Tip: Really Simple HTTP Server with Python
- I like your topic on android
34 min 47 sec ago
- Reply to comment | Linux Journal
55 min 57 sec ago
- This is the easiest tutorial
7 hours 10 min ago
- Ahh, the Koolaid.
12 hours 48 min ago
- git-annex assistant
18 hours 48 min ago
- direct cable connection
19 hours 11 min ago
- Agreed on AirDroid. With my
19 hours 21 min ago
- I just learned this
19 hours 25 min ago
19 hours 55 min ago
- not living upto the mobile revolution
22 hours 46 min ago