Difference between revisions of "NewUsers"

From SELinux Wiki
Jump to: navigation, search
(Notebook Sections)
(Notebook Sections)
(7 intermediate revisions by the same user not shown)
Line 50: Line 50:
  
 
= The SELinux Notebook =
 
= The SELinux Notebook =
Some of the sections from [http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html Volume 1 - The SELinux Notebook - The Foundations] are available on this site.  
+
Some of the sections from [http://freecomputerbooks.com/The-SELinux-Notebook-The-Foundations.html The SELinux Notebook - 4th Edition] are available on this site. There is also a supporting source tarball (notebook-source-4.0.tar.gz) available to download that demonstrates some of the SELinux capabilities.  
 
+
The Notebook sections describe the SELinux services built into Fedora 12 and should give a high level description of the major components that provide Mandatory Access Control services for GNU / Linux.
+
 
+
Hopefully it will show how all the SELinux components link together and how SELinux-aware applications and their object managers have been implemented (such as X-Windows, SE-PostgreSQL and virtual machines).
+
  
 
== Notebook Sections ==
 
== Notebook Sections ==
 
The major sections are:
 
The major sections are:
 
* [[NB_Overview | SELinux Overview]]
 
* [[NB_Overview | SELinux Overview]]
 +
* [[NB_CoreComponents | Core Components]]
 
* [[NB_MAC | Mandatory Access Control (MAC)]]
 
* [[NB_MAC | Mandatory Access Control (MAC)]]
 +
* [[NB_USERS | SELinux Users]]
 +
* [[NB_RBAC | Role-Based Access Control (RBAC)]]
 
* [[NB_TE | Type Enforcement (TE)]]
 
* [[NB_TE | Type Enforcement (TE)]]
* [[NB_RBAC | Role-Based Access Control (RBAC)]]
 
 
* [[NB_SC | Security Context]]
 
* [[NB_SC | Security Context]]
 
* [[NB_Subjects | Subjects]]
 
* [[NB_Subjects | Subjects]]
 
* [[NB_Objects | Objects]]
 
* [[NB_Objects | Objects]]
 +
* [[NB_ComputingSecurityContexts | Computing Security Contexts]]
 +
* [[NB_ComputingAccessDecisions | Computing Access Decisions]]
 +
* [[NB_Domain_and_Object_Transitions | Domain and Object Transitions]]
 
* [[NB_MLS | Multi-Level Security and Multi-Category Security]]
 
* [[NB_MLS | Multi-Level Security and Multi-Category Security]]
 
* [[NB_PolicyType | Types of SELinux Policy]]
 
* [[NB_PolicyType | Types of SELinux Policy]]
* [[NB_PandE | SELinux Permissive and Enforcing Modes]]
+
* [[NB_PandE | Permissive and Enforcing Modes]]
* [[NB_AL |Audit Logs]]
+
* [[NB_AL | Auditing Events]]
* [[NB_Poly | Polyinstantiation]]
+
* [[NB_Poly | Polyinstantiation Support]]
 
* [[NB_PAM | PAM Login Process]]
 
* [[NB_PAM | PAM Login Process]]
 
* [[NB_LSM | Linux Security Module and SELinux]]
 
* [[NB_LSM | Linux Security Module and SELinux]]
 +
* [[NB_Userspace_Libraries | SELinux Userspace Libraries]]
 
* [[NB_Networking | SELinux Networking Support]]
 
* [[NB_Networking | SELinux Networking Support]]
 
* [[NB_VM | SELinux Virtual Machine Support]]
 
* [[NB_VM | SELinux Virtual Machine Support]]
 
* [[NB_XWIN | SELinux  X-Windows Support]]
 
* [[NB_XWIN | SELinux  X-Windows Support]]
* [[NB_SQL | SELinux PostgreSQL Support (ver 8.4)]]
+
* [[NB_SandBox | Sandbox Services]]
* [[NB_SQL_9.0 | SELinux PostgreSQL Support (ver 9.0)]]
+
* [[NB_SQL_9.3 | SE-PostgreSQL Support]]
* [[NB_Apache | Apache SELinux Support]]
+
* [[NB_Apache | Apache-Plus Support]]
* [[NB_RefPolicy | Reference Policy Support]]
+
* [[ConfigurationFiles | SELinux Configuration Files]]
 
+
** [[GlobalConfigurationFiles | Global Configuration Files]]
== Relevant F-12 Packages ==
+
** [[PolicyStoreConfigurationFiles | Policy Store Configuration Files]]
The following are the rpm packages installed on the test machine used for all code listings, testing and research:
+
** [[PolicyConfigurationFiles | Policy Configuration Files]]
<pre>
+
* [[PolicyLanguage | The SELinux Policy Languages]]
checkpolicy-2.0.19-3.fc12.i686
+
** [[PolicyLanguage#CIL_Policy_Language | CIL Policy Language]]
checkpolicy-2.0.19-3.fc12.src
+
** [[PolicyLanguage#Kernel_Policy_Language | Kernel Policy Language]]
 
+
*** [[Policy Configuration Statements | Policy Configuration Statements]]
coreutils-7.6-8.f12.src
+
*** [[DefaultRules | Default Rules]]
 
+
*** [[UserStatements | User Statements]]
ipsec-tools-0.7.3-4.fc12.i686
+
*** [[RoleStatements | Role Statements]]
 
+
*** [[TypeStatements | Type Statements]]
kernel-2.6.31.5-127.fc12.i686
+
*** [[Bounds Rules | Bounds Rules]]
kernel-2.6.31.5-127.fc12.src
+
*** [[AVCRules | Access Vector Rules]]
 
+
*** [[XpermRules | Extended Permission Access Vector Rules]]
libselinux-2.0.90-5.fc12.i686
+
*** [[ObjectClassStatements | Object Class and Permission Statements]]
libselinux-devel-2.0.90-5.fc12.i686
+
*** [[ConditionalStatements | Conditional Policy Statements]]
libselinux-python-2.0.90-5.fc12.i686
+
*** [[ConstraintStatements | Constraint Statements]]
libselinux-utils-2.0.90-5.fc12.i686
+
*** [[MLSStatements | MLS Statements]]
 
+
*** [[SIDStatements | Security ID (SID) Statement]]
libsemanage-2.0.45-1.fc12.i686
+
*** [[FileStatements | File System Labeling Statements]]
libsemanage-devel-2.0.45-1.fc12.i686
+
*** [[NetworkStatements | Network Labeling Statements]]
libsemanage-python-2.0.45-1.fc12.i686
+
*** [[PolicyStatements | Modular Policy Support Statements]]
 
+
*** [[XENStatements | XEN Statements]]
libsepol-2.0.41-3.fc12.i686
+
* [[NB_RefPolicy | The Reference Policy]]
libsepol-devel-2.0.41-3.fc12.i686
+
* [[NB_Imp_SELinux-aware_Apps | Implementing SELinux-aware Applications]]
libsepol-static-2.0.41-3.fc12.i686
+
* [[NB_SEforAndroid_1 | SE for Android]]
libsepol-2.0.41-3.fc12.src
+
* [[LibselinuxAPISummary | <tt>libselinux</tt> API Summary]]
 
+
* [[NB_ObjectClassesPermissions | Object Classes and Permissions]]
libvirt-0.7.1-15.f12.src
+
 
+
mcstrans-0.3.1-3.fc12.i686
+
 
+
mod_selinux-2.2.2015-3.fc12.src
+
 
+
netlabel_tools-0.19-3.fc12.i686
+
 
+
policycoreutils-2.0.79-1.fc12.i686
+
policycoreutils-gui-2.0.79-1.fc12.i686
+
policycoreutils-sandbox-2.0.79-1.fc12.i686
+
policycoreutils-python-2.0.79-1.fc12.i686
+
policycoreutils-newrole-2.0.79-1.fc12.i686
+
 
+
postgresql-libs-8.4.3-1.fc12.i686
+
postgresql-8.4.3-1.fc12.i686
+
postgresql-server-8.4.3-1.fc12.i686
+
 
+
qemu-0.12.3-2.fc12.src
+
 
+
selinux-policy-3.6.32-103.fc12.src
+
selinux-policy-3.6.32-103.fc12.noarch
+
selinux-policy-doc-3.6.32-103.fc12.noarch
+
selinux-policy-minimum-3.6.32-103.fc12.noarch
+
selinux-policy-mls-3.6.32-103.fc12.noarch
+
selinux-policy-targeted-3.6.32-103.fc12.noarch
+
 
+
sepostgresql-8.4.2-2583.fc12.i686
+
 
+
setools-3.3.6-4.fc12.i686
+
setools-console-3.3.6-4.fc12.i686
+
setools-gui-3.3.6-4.fc12.i686
+
setools-libs-3.3.6-4.fc12.i686
+
setools-libs-java-3.3.6-4.fc12.i686
+
setools-libs-tcl-3.3.6-4.fc12.i686
+
 
+
xen-3.4.2-1.fc12.src
+
</pre>
+
 
+
The gcc tools will be required to compile and link the test “C” applications used in some of the scenarios (<tt>gcc-4.4.2-20.i686</tt> and <tt>libgcc-4.4.2-20.i686</tt> rpms are installed on the test machine that is using the <tt>kernel-2.6.31.5-127.fc12.i686</tt> rpm).
+

Revision as of 10:56, 21 July 2015

This is a resource for new users, it explains in very broad terms what SELinux does, how to get it and so on.

What does SELinux do?

SELinux controls access between applications and resources. By using a mandatory security policy SELinux enforces the security goals of the system regardless of whether applications misbehave or users act carelessly. SELinux is capable of enforcing a wide range of security goals, from simply sandboxing applications to locking down network facing daemons and restricting users to only the resources they need to work.

How do I know if SELinux is on?

If you use Red Hat Enterprise Linux or Fedora it is enabled by default. To see whether it is actively enforcing the policy you can run getenforce:

[root@localhost ~]# getenforce
Enforcing

If it says Enforcing (as above) your system is being protected by SELinux. If it says permissive SELinux is enabled but is only logging failed accesses, not denying them. If it says Disabled then SELinux is not enabled on your system.

How do I get it?

SELinux isn't a distribution by itself but a security enhancement to Linux that can be enabled by your distribution or vendor (or yourself if you are very motivated).

Distribution How to get it
Red Hat Enterprise Linux (4+) Default
Fedora (2+) Default
Ubuntu Hardened Ubuntu
Debian add-on
Gentoo Hardened Gentoo


Why do I have it?

Your distribution or vendor may have chosen to enable SELinux by default. They are doing this because they want added security protections on the versions of Linux they ship. A huge amount of effort has gone in to creating security policies that protect your system from intrusions while at the same time allowing users to behave the way they normally do. Leaving SELinux enabled on these systems is a good idea because it can protect you from zero-day and known vulnerabilities while balancing your need to use your system the way you need to.

Where can I find help?

There are several mailing lists and IRC channels depending on what distribution you are running and what you need help with. See the Mailing lists and IRC channels page for a full list.

This site has additional documentation that can help you use SELinux. You can start with the administrators and users page.


The SELinux Notebook

Some of the sections from The SELinux Notebook - 4th Edition are available on this site. There is also a supporting source tarball (notebook-source-4.0.tar.gz) available to download that demonstrates some of the SELinux capabilities.

Notebook Sections

The major sections are: