Part I. SELinux

Table of Contents

1. Introduction
1.1. Benefits of running SELinux
1.2. Examples
1.3. SELinux Architecture
1.4. SELinux States and Modes
1.5. What Is New in Red Hat Enterprise Linux 7
2. SELinux Contexts
2.1. Domain Transitions
2.2. SELinux Contexts for Processes
2.3. SELinux Contexts for Users
3. Targeted Policy
3.1. Confined Processes
3.2. Unconfined Processes
3.3. Confined and Unconfined Users
3.3.1. The sudo Transition and SELinux Roles
4. Working with SELinux
4.1. SELinux Packages
4.2. Which Log File is Used
4.3. Main Configuration File
4.4. Permanent Changes in SELinux States and Modes
4.4.1. Enabling SELinux
4.4.2. Disabling SELinux
4.5. Booleans
4.5.1. Listing Booleans
4.5.2. Configuring Booleans
4.5.3. Shell Auto-Completion
4.6. SELinux Contexts – Labeling Files
4.6.1. Temporary Changes: chcon
4.6.2. Persistent Changes: semanage fcontext
4.7. The file_t and default_t Types
4.8. Mounting File Systems
4.8.1. Context Mounts
4.8.2. Changing the Default Context
4.8.3. Mounting an NFS Volume
4.8.4. Multiple NFS Mounts
4.8.5. Making Context Mounts Persistent
4.9. Maintaining SELinux Labels
4.9.1. Copying Files and Directories
4.9.2. Moving Files and Directories
4.9.3. Checking the Default SELinux Context
4.9.4. Archiving Files with tar
4.9.5. Archiving Files with star
4.10. Information Gathering Tools
4.11. Prioritizing SELinux Policy Modules
4.12. Multi-Level Security (MLS)
4.12.1. MLS and System Privileges
4.12.2. Enabling MLS in SELinux
4.12.3. Creating a User With a Specific MLS Range
4.12.4. Setting Up Polyinstantiated Directories
4.13. File Name Transition
4.14. Disable ptrace()
4.15. Thumbnail Protection
5. The sepolicy Suite
5.1. The sepolicy Python Bindings
5.2. Generating SELinux Policy Modules: sepolicy generate
5.3. Understanding Domain Transitions: sepolicy transition
5.4. Generating Manual Pages: sepolicy manpage
6. Confining Users
6.1. Linux and SELinux User Mappings
6.2. Confining New Linux Users: useradd
6.3. Confining Existing Linux Users: semanage login
6.4. Changing the Default Mapping
6.5. xguest: Kiosk Mode
6.6. Booleans for Users Executing Applications
7. sVirt
7.1. Security and Virtualization
7.2. sVirt Labeling
8. Secure Linux Containers
9. SELinux systemd Access Control
9.1. SELinux Access Permissions for Services
9.2. SELinux and journald
10. Troubleshooting
10.1. What Happens when Access is Denied
10.2. Top Three Causes of Problems
10.2.1. Labeling Problems
10.2.2. How are Confined Services Running?
10.2.3. Evolving Rules and Broken Applications
10.3. Fixing Problems
10.3.1. Linux Permissions
10.3.2. Possible Causes of Silent Denials
10.3.3. Manual Pages for Services
10.3.4. Permissive Domains
10.3.5. Searching For and Viewing Denials
10.3.6. Raw Audit Messages
10.3.7. sealert Messages
10.3.8. Allowing Access: audit2allow
11. Further Information
11.1. Contributors
11.2. Other Resources