SELinux: NSA's Open Source Security Enhanced Linux (Paperback)

Bill McCarty

  • 出版商: O'Reilly
  • 出版日期: 2004-11-02
  • 售價: $1,370
  • 貴賓價: 9.5$1,302
  • 語言: 英文
  • 頁數: 258
  • 裝訂: Paperback
  • ISBN: 0596007167
  • ISBN-13: 9780596007164
  • 相關分類: Linux資訊安全
  • 已絕版




The intensive search for a more secure operating system has often left everyday, production computers far behind their experimental, research cousins. Now SELinux (Security Enhanced Linux) dramatically changes this. This best-known and most respected security-related extension to Linux embodies the key advances of the security field. Better yet, SELinux is available in widespread and popular distributions of the Linux operating system--including for Debian, Fedora, Gentoo, Red Hat Enterprise Linux, and SUSE--all of it free and open source.

SELinux emerged from research by the National Security Agency and implements classic strong-security measures such as role-based access controls, mandatory access controls, and fine-grained transitions and privilege escalation following the principle of least privilege. It compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days--when someone gets a toe-hold on a computer through a vulnerability in a local networked application, such as a Web server, and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system.

The key, of course, lies in the words "properly administered." A system administrator for SELinux needs a wide range of knowledge, such as the principles behind the system, how to assign different privileges to different groups of users, how to change policies to accommodate new software, and how to log and track what is going on. And this is where SELinux is invaluable. Author Bill McCarty, a security consultant who has briefed numerous government agencies, incorporates his intensive research into SELinux into this small but information-packed book. Topics include:

  • A readable and concrete explanation of SELinux concepts and the SELinux security model
  • Installation instructions for numerous distributions
  • Basic system and user administration
  • A detailed dissection of the SELinux policy language
  • Examples and guidelines for altering and adding policies

With SELinux, a high-security computer is within reach of any system administrator. If you want an effective means of securing your Linux system--and who doesn't?--this book provides the means.


Table of Contents:


1. Introducing SELinux

     Software Threats and the Internet

     SELinux Features

     Applications of SELinux

     SELinux History

     Web and FTP Sites

2. Overview of the SELinux Security Model

     Subjects and Objects

     Security Contexts

     Transient and Persistent Objects

     Access Decisions

     Transition Decisions

     SELinux Architecture

3. Installing and Initially Configuring SELinux

     SELinux Versions

     Installing SELinux

     Linux Distributions Supporting SELinux

     Installation Overview

     Installing SELinux from Binary or Source Packages

     Installing from Source

4. Using and Administering SELinux

     System Modes and SELinux Tuning

     Controlling SELinux

     Routine SELinux System Use and Administration

     Monitoring SELinux

     Troubleshooting SELinux

5. SELinux Policy and Policy Language Overview

     The SELinux Policy

     Two Forms of an SELinux Policy

     Anatomy of a Simple SELinux Policy Domain

     SELinux Policy Structure

6. Role-Based Access Control

     The SELinux Role-Based Access Control Model

     Railroad Diagrams

     SELinux Policy Syntax

     User Declarations

     Role-Based Access Control Declarations

7. Type Enforcement

     The SELinux Type-Enforcement Model

     Review of SELinux Policy Syntax

     Type-Enforcement Declarations

     Examining a Sample Policy

8. Ancillary Policy Statements

     Constraint Declarations

     Other Context-Related Declarations

     Flask-Related Declarations

9. Customizing SELinux Policies

     The SELinux Policy Source Tree

     On the Topics of Difficulty and Discretion

     Using the SELinux Makefile

     Creating an SELinux User

     Customizing Roles

     Adding Permissions

     Allowing a User Access to an Existing Domain

     Creating a New Domain

     Using Audit2allow

     Policy Management Tools

     The Road Ahead

A. Security Object Classes

B. SELinux Operations

C. SELinux Macros Defined in src/policy/macros

D. SELinux General Types

E. SELinux Type Attributes