SELinux 8hours

SELinux is an acronym for Security-Enhanced Linux. It is a Linux kernel security module that provides the mandatory access control to increase the security of the system.

Chapter 1 : Fundamental SELinux Concepts

Security-Enhanced Linux (SELinux) is a kernel module that can be used to enhance the security of Linux. It provides a mechanism for supporting access control security policies, which are made up of rules that can be specified in terms of fine-grained object labels.

Security for Linux

Labeling all resources and objects

Defining and distributing policies

Distinguishing between policies



Chapter 2 : SELinux Decisions and Logging

It has been developed to provide mandatory access control that could be applied to the entire operating system as well as individual processes, files, directories, etc.

Switching SELinux on and off

SELinux logging and auditing

Getting help with denials



Chapter 3 : Managing User Logins

User logins can be a major pain point for companies. Ensuring that the right person is logged in and maintaining security and privacy for the account owners can be difficult tasks.

User-oriented SELinux contexts

SELinux users and roles

Handling SELinux roles

SELinux and PAM



Chapter 4 : Using File Contexts and Process Domains

File contexts are used to categorize the characteristics of a file itself. Process domains are used to categorize the processes that can be used to produce or manipulate a given file.

Introduction to SELinux file contexts

Keeping or ignoring contexts

SELinux file context expressions

Modifying file contexts

The context of a process

Limiting the scope of transitions

Types, permissions, and constraints



Chapter 6 : SELinux through Infrastructure-as-Code

Infrastructure-as-Code is a software development methodology that defines and manages the process of infrastructure through its code. It allows for better automation, monitoring and integration with other systems.

Introducing the target settings and policies

Using Ansible for SELinux system administration

Utilizing SaltStack to configure SELinux

Automating system management with Puppet

Wielding Chef for system automation



Chapter 7 : Application-Specific SELinux Controls

SELinux controls provide a unique approach to security. The SELinux process starts when the kernel loads the policy, which determines how processes are handled in three different contexts: user, role, and domain.

Tuning systemd services, logging, and device management

Communicating over D-Bus

Configuring PAM services

Using mod_selinux with Apache



Chapter 8 : Extending PostgreSQL with SELinux

PostgresSQL can be extended by integrating it with SELinux to provide security features which are not found in other databases.

Introducing PostgreSQL and sepgsql

SELinux’s database-specific object classes and permissions

Using MCS and MLS

Integrating SEPostgreSQL into the network



Chapter 9 : Secure Virtualization

Virtualization is a process of abstracting physical resources to create and manage virtual computers and their resources in a virtualized environment.

Understanding SELinux-secured virtualization

Enhancing libvirt with SELinux support

Using Vagrant with libvirt



Chapter 10 : Using Xen Security Modules with FLASK

Xen Security Modules are a crucial part of the security for Xen virtualization. The Flask security architecture offers three levels of authorization: access, privilege and control.

Understanding Xen and XSM

Running XSM-enabled Xen

Applying custom XSM policies



Chapter 11 : Security of Containerized Workloads

Containers are a type of technology that packages an application with all of its dependencies in a single package. Containers allow developers to isolate their applications from one another in order to avoid conflicts and dependency issues.

SELinux with systemd’s container support

Configuring podman

Kubernetes’ SELinux support



Chapter 12 : Tuning SELinux Policies

SELinux is a kernel module that implements access control security policies, including what actions each process can perform, based on the identity of the subjects. SELinux operates as a mandatory access control security module.

Working with SELinux booleans

Handling policy modules

Replacing and updating policies



Chapter 13 : Analyzing Policy Behavior

SELinux is a protection system, which uses access control mechanisms in order to ensure that trusted applications are only able to access the data that they need and nothing more.

Performing single-step analysis

Investigating domain transitions

Analyzing information flow

Comparing policies



Chapter 14 : Dealing with New Applications

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies and allows for separation and confinement of processes.

Running applications without restrictions

Using sandboxed applications

Assigning common policies to new applications

Extending generated policies



Chapter 15 : Using the Reference Policy

The SELinux Reference Policy is a type of policy that provides a reference for Linux system administrators who are responsible for configuring their systems. It is not recommended to use the Reference Policy as the single source of truth.

Introducing the reference policy

Using the policy macros

Creating application-level policies

Adding user-level policies

Getting help with supporting tools



Chapter 16 : Developing Policies with SELinux CIL

One way SELinux CIL can be used in the workforce is by creating policies for a given domain. The goal of this section will be to develop a policy for the domain that we have selected – “Non-sensitive data.”

Introducing CIL

Creating fine-grained definitions

Building complete application policies



Satish Kumar

Kumar Satish


Kumar Satish started his career as a Unix and Linux System Engineer in 2011. Kumar has professiona experience with CentOS, RedHat, Ubuntu, and Debian. He enjoys teaching others how to use and exploit the power of the Linux operating system.