Thursday, June 11, 2015

SELinux resources

quick introduction to SELinux helps to have a high-level idea behind the SELinux security subsystem. It covers the difference between discretionary and mandatory access control, the labeled approach that SELinux takes and how it is integrated in the Linux operating system.
For more in-depth information, please refer to the following resources.
Type enforcementControlling accesses is done in most cases through a type-enforcement based approach
Role-based access controlEnsuring a least privilege approach on a Linux system using SELinux' RBAC model
User-based access controlEnsuring segregation of users, even when they run using the same domains and accessing the same types
Information flow controlLimiting information flow based on security clearance and sensitivities
Unconfined domainsWhen SELinux protections are not needed in all cases, unconfined domains can be used.
User guides
InstallationThe main resource for installing and enabling SELinux on a Gentoo system
Users and loginsMapping Linux users (logins) to SELinux users
Managing labelsSetting and configuring file (and other resource) labels
PolicyThe SELinux policy defines the acceptable behavior on a system; it can be rebuilt by administrators, loaded and unloaded (through its modular design) and tweaked by adding more policy rules
LoggingSELinux usually logs denials in the audit log (or system log if no auditing is enabled)
BooleansEnable or disable additional policy controls through SELinux booleans
StatesSELinux can be enabled or disabled, and running in enforcing, partial permissive or full permissive mode
Expert documentation
Policy developmentUpdating SELinux policy to suit your needs, and send patches to Gentoo or even upstream projects
Policy storeThe policy store contains the SELinux policy binaries; multiple stores can be defined on a system
Networking supportSELinux supports port labeling, but also packet-based access controls through SECMARK and peer-to-peer labeling support
Reference material
FAQFrequently Asked Questions on SELinux and SELinux integration in Gentoo
SELinux policy languageSupported SELinux language constructs
Policy module specific informationMore in-depth information about particular SELinux policy modules

No comments:

Post a Comment