Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Book Reviews Books Media

SELinux by Example 77

Ravi writes "SELinux is a project started and actively maintained by the U.S Department of Defense to provide a Mandatory Access Controls mechanism in Linux. It had been a long standing grouse of Linux power users and system administrators over its lack of fine grained access control over various running processes as well as files in Linux. While Solaris touts its famous RBAC and Microsoft Windows has its own way of providing finer rights to its resources, Linux had to put up with the simple but crude user rights known in tech speak as discretionary access control to control user access of files. With SELinux project making great strides and now being bundled with many major Linux distributions, it is possible to effectively lock down a Linux system through judicious use of SELinux policies. SELinux implements a more flexible form of MAC called type enforcement and an optional form of multilevel security." Read the rest of Ravi's review.
SELinux by Example
author Frank Mayer, David Caplan, Karl MacMillan
pages 425
publisher Prentice Hall
rating 8
reviewer Ravi Kumar
ISBN 0131963694
summary This book imparts a deep understanding of the features, structure, syntax and working of SELinux


The book SELinux by Example is authored by three people — Frank Mayer, Karl Macmillan and David Caplan and is published by Prentice Hall. There are a total of 14 chapters and 4 appendices spread just over 400 pages. The 14 chapters are in turn broadly divided into three parts with the first part containing chapters which provide an overview of SELinux, its background and the concepts behind it. The second part contains 7 chapters which are most useful for SELinux policy writers and contain detailed explanation of the syntax used in writing the policy files. It is the third part, "Creating and Writing SELinux Security Policies" which could be most put to use by system administrators.

In the second chapter, the authors introduce the concept of type enforcement access control, the understanding of which is imperative to ones knowledge of SELinux. They further discuss the concept of roles and multi level security. True to the title of the book, all these concepts are explained by analyzing the security controls of the ubiquitous passwd program.

In the succeeding chapter the authors explain the underlying architecture of SELinux. More specifically, how SELinux integrates with the Linux kernel via the Linux security module (LSM), the organization of the policy source file and how to build and install policies.

SELinux policies to a large extent are based on object classes. For example, you can create an object class and associate a set of permissions to that class. All objects associated with that class will share the same set of permissions. In the fourth chapter, one get to know about different types of object classes and the permissions that can be assigned to these classes. A total of 40 classes and 48 permissions are discussed in this chapter.

The next chapter titled "Types Enforcement" goes into a detailed analysis of all the types and attributes as well as the rules that could be used. The majority of SELinux policy is a set of statements and rules that collectively define the type enforcement policy. Going through the chapter, I was able to get a fair idea of the syntax used in writing TE policies.

Keeping in mind the complexity of the subject, it helps a great deal that at the end of each chapter there is a summary section where the authors have listed the important points covered. More over, one gets to answer a couple of questions and check one's knowledge about the topic being discussed.

In the 6th chapter, the authors explain in detail the concept of roles and their relationship in SELinux. What I really like about this book is the fact that each concept of SELinux has been dedicated a chapter of its own. For instance, constraints, multilevel security, type enforcement, conditional policies,... all are explained in chapters of their own.

One thing worth noting is that Fedora Core 4 and RHEL 4 and above ship with the targeted policy by default. Where as to completely lock down a Linux machine, you need to embrace the strict SELinux policy. This has the side effect of causing breakages with some of the existing Linux applications which expect looser security controls. In targeted policy, the more confining rules are focused on a subset of likely to be attacked network applications. In most cases, one can manage by using targeted policy. This book mostly deals with the strict policy of SELinux and in chapter 11, the authors dissect the strict example policy maintained and updated via the NSA and Fedora Core mailing lists.

There is another policy called the Reference Policy which is an attempt to water down the strict policy maintained by NSA. In the process making it easier to use, understand, maintain, and more modular. This is covered in the succeeding chapter titled "Reference Policy".

The next chapter titled "Managing an SELinux system" is one which the system administrators will relate to, where the authors throw light on the hierarchy of SELinux configuration files. The purpose of each file is explained in simple terms. Considering that SELinux comes bundled with a rich set of tools meant to be used by system administrators, one gets to know the usage of some of them and also learn about the common problems that are faced by administrators while administering an SELinux system.

In the last chapter of the book, one is introduced to the task of writing policy modules. Here the authors hand hold in the creation of a policy module for the IRC daemon for Fedora Core 4, from the planning stage to writing and applying the policy module, to the final testing.

The book also includes 4 appendices which contain a wealth of knowledge on SELinux. I especially liked appendix C which lists all the object classes and permissions as well as appendix D which has a list of SELinux system tools and third party utilities with explanations.

I found that I was better able to assimilate what the authors explained when I read the 13th chapter of this book first and then went back to read the 4th chapter onwards. Having said that, I find this book to be an excellent resource for people interested in developing SELinux policies and to a slightly lesser extent a resource for system administrators. At the very least, this book imparts a deep understanding of the features, structure, syntax and working of SELinux.

Ravi Kumar maintains a blog at linuxhelp.blogspot.com where he shares his thoughts and experiences on all things related to Linux.


You can purchase SELinux by Example from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

SELinux by Example

Comments Filter:
  • by User 956 ( 568564 ) on Wednesday March 14, 2007 @03:28PM (#18353589) Homepage
    With SELinux project making great strides and now being bundled with many major Linux distributions, it is possible to effectively lock down a Linux system through judicious use of SELinux policies.

    You can say that, sure, but I think for most people, SE'ing is believing.
  • Interesting (Score:2, Interesting)

    by 26199 ( 577806 ) *

    But is it useful? For military and some business use, I can see it... but does anyone actually run SELinux on a home system?

    If so -- why?

    • by Anonymous Coward on Wednesday March 14, 2007 @03:47PM (#18353857)

      Yes, I selinux it with FC6. For several reasons. Firstly because I can; It just completely doesn't get in the way. I've come across a two policy things I had to change; in both cases the built in tool warned me about them, so I knew it was an SeLinux problem and didn't spend ages serching. Secondly, in both cases it gave me reasonable (but not complete) information about what to to to fixi it and finlally, if you learn how to use audit2allow all my problems were really easy to fix (and if you report them with audit message RedHat does a fix which gets rid of them in future almost immediately anyway).

      Secondly I have a few servers on my system, it's nice to know that there is a reasonable chance they won't break my desktop if they get hacked into.

      Finally, I have several proprietary applications I use (e.g. Skype) given past experience, I don't trust these not to do bad things like sending of my private data. Making an SeLinux policy lets me control which data these applications have access to.

      Generally, running SeLinux just gives more of a feel of having control over what your programs are doing on your computer. Without it, you can limit programs from one UserID to the next, but there's no easy way to limit access within a UserID (well; chroot, but that's not really easy).

      • Humm ... is this just me or is someone being slightly naive here ?

        SELinux as mighty as it may be for tracking skype and alike, it will probably not track down your perl script include tags (lets say mailfilters that run somewhere, or from another app, the "safe" javascript in mozilla ?). Yep you can tell your mozilla that it shouldn't read a or b or c nor should it write d, but how much can you restrict perl on your system ? or bash for this sake ? bash scripts are not always harmless :p will SELinu
        • Re: (Score:1, Informative)

          by Anonymous Coward
          Am I being slightly naive? Well; my primary argument is that the cost is low so it's worth doing. As far as php and perl include problems go, that's exactly where it's value is greatest. In the default FC6 (Fedora Core 6) configuration, the normal user is mostly unprotected but each server runs in a largely isolated selinux domain. When someone compromises your web script, they can compromise the web server to some extent, but that extent is much less than even just the access of the apache user.

          If, on
  • Check out the Gentoo hardening overview. They refer to a couple of good kernel technologies useful to secure your system if you are that paranoid.

    Hardening [gentoo.org]

    And keep in mind: Even if you are not paranoid, they still could be out to get you.

  • AppArmor? (Score:4, Informative)

    by G Money ( 12364 ) * on Wednesday March 14, 2007 @04:02PM (#18354081) Homepage
    It seems to me that AppArmor [wikipedia.org] is still a much more suitable tool for MAC under Linux for 99% of the systems that need it. Unless you have very complex security requirements and are defending national secrets, all the extra effort it takes to setup SELinux isn't needed. By taking the approach of hardening the weakest points of the system (network applications, processes that run as root, etc...) you can gain almost all the security benefits without having all the added complexity. And yes, as a disclaimer, I know many of the Immunix crew behind AppArmor and have worked with them at Defcon and such. Having used both SELinux and AppArmor I can say there's no comparison in terms of effectiveness. If a security tool it too complex to use it will be used incorrectly and can lead to even worse security problems. I would rather stick with a much simpler approach that still provides all the confinement of MAC but only where I need it.
    • What's your take on node-based vs. path-based MAC specification?
      • Re: (Score:3, Informative)

        by G Money ( 12364 ) *
        With path based you do open yourself up to problems with evil people doing things with links and whatnot but the general idea of AppArmor is that you wouldn't let someone get that far in the first place, or if you did, they belonged there. Node based eliminates that problem but opens up a new set of issues in terms of backing up filesystems (many commercial and even some open source backup solutions are brain dead when it comes to preserving extended information from the filesystem and will just ignore ino
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      AppArmor and SELinux took two totally different approaches. AppArmor started addressing usability first, and security second. SELinux took the reverse approach. I would argue that when it comes to a security mechanism, the one with the soundest implementation would always win. But unfortunately this is not the case. But SELinux has been taking leaps and bounds to address the usability issue. Just check out SLIDE, reference policy, and FC6/RHEL5.
    • Re: (Score:3, Insightful)

      It seems to me that AppArmor is still a much more suitable tool for MAC under Linux for 99% of the systems that need it.

      The truth is, the vast majority of systems don't need either, but the concept is a nice security architecture to have in place for those rare instances where it is needed and as a built in part of security going forward.

      Having used both SELinux and AppArmor I can say there's no comparison in terms of effectiveness. If a security tool it too complex to use it will be used incorrectly and can lead to even worse security problems. I would rather stick with a much simpler approach that still provides all the confinement of MAC but only where I need it.

      If you're trying to secure a system today, you might be better of with AppArmor from what I understand. If you're trying to decide upon a MAC architecture that will be part of Linux going forward, SELinux looks like a much better bet. Ubiquitous application of MAC is a big win in the l

  • Am I the only only who, because of the capital "SE", skipped the "Linu" and went straight to "x".
  • Sounds like an ad (Score:3, Interesting)

    by Animats ( 122034 ) on Wednesday March 14, 2007 @04:49PM (#18354731) Homepage

    Hell, it is an ad. Read the last line of the article.

    SELinux is a great idea, but almost nobody gets it. NSA wrote it so that commercial and open source application developers could get accustomed to writing programs that would work on a system that enforced mandatory security. The hope was that, for example, Firefox and Apache would be modified to work well under very restrictive security models, so that if some app misbehaved, its damage would be limited. This was the first step in getting out of the mess we're in now with patch-based insecurity.

    Not too much of that has happened.

    • Not too much of that has happened.

      You haven't run modern linux distros for a while, don't you? Linux distros have been shipping SELinux for years, and not just "for fun" - they wouldn't go through the pain of including it if they didn't use it.

      Red Hat 4, which was released on February 2005 already used SELinux at least for: apache, dhcpd, mysqld, named, nscd, ntpd, portmap, postgres, snmpd, squid, syslogdm winbind. RHEL 5 (released today) probably adds more.

      No, people still hasn't wrote SELinux rules for fi
  • I would love to use SELinux but end up doing a setenforce 0 and make it permissible because of these things:
    • Ubuntu does not support SELinux without going to the world repository and I can't get the system to boot with the default policies. This is well known and is current a work-in-progress and we all know the state of SELinux in Ubuntu. Ubuntu also has a lot of upgrade issues with deprecated libraries and versioning and I end up with a corrupt system.
    • Gentoo never installs properly; too many broken repos
  • Fedora Core 5 gives you the option of turning SELinux on or not. I had no prior experience with it, and decided to see how bad it is. All security is bad. Sometimes, you have to live with it. I was not able to get user home directories to work in Apache. The error logs were unrevealing. Turning off SELinux fixed everything. (Google suggested i try that. Google knows everything, though some of the things it knows are wrong.)

    So, before i can turn SELinux back on, i have to go through the SELinux learni
    • by juhaz ( 110830 )

      So, before i can turn SELinux back on, i have to go through the SELinux learning curve. A book like this could help. I've not yet looked for on-line docs.

      You might not need the book any more. The configuration has been simplified a lot in FC6, it has a daemon that monitors the log files, and a gui tool that pops up a notification whenever SELinux blocks something, and in common cases tells you what do to tweak the specific setting.

      For example, I tried temporarily turning on the "don't allow apache to read home dirs", and get this if I try to access them: http://www.cc.puv.fi/~e0600613/sealert.png [cc.puv.fi]

  • The nice about user/group permissions ... is that they don't require books of 400 pages for explanations..
  • SELinux - Useable? (Score:2, Interesting)

    by softcoder ( 252233 )
    I am running a Centos 4 system, with SELinux active. Since it is a web server box, I want it secured. Centos 4, is about Fedora 3 vintage when it comes to SELinux, and my config is about 2 years old. I hope that the current state of SELinux has improved a lot since then but it is hard to tell.
    One thing you DO NOT need if you are trying to run SELINUX is 400 pages of abstract security theory and discussions on the 'flask' model etc. etc. There is way too much info of that sort out there and not nearly enough
  • It seems to be installed as a "required" package in a minimal install (debootstrap). When I do 'apt-get remove libselinux1' it wants to remove most of the packages on my system (xorg, etc.). Other posts seem to indicate they are not running some of it, but I want to run NONE of it.
  • Yes, but... (Score:1, Funny)

    by Anonymous Coward
    does it run on Linux?

    oh, wait...
  • Solaris's heavily touted Role Based Access Control Mechanism was built upon Unix's file permissions, SU bit capabilities, limited shells, and extra user accounts that had a shell that rejected direct logins.

    As of 2 years ago, there was little, if nothing that RBAC did that wasn't available to a well-tooled sysadmin on a normal UNI*X box (without SELinux capabilities).

  • I actually tried to buy this book a week ago. No luck.
  • I don't know about SE Linux very well but just wanted to know that whether I can accomplish the same things which SE Linux does using PAM?
    • by guruevi ( 827432 )
      PAM is something completely different than SELinux. PAM tries to give you pluggable authentication modules through the same interface (kinda like a general API for Unix/Linux authentication). If you are a programmer, whether the end user uses a local username, LDAP or MySQL for authentication, you have to write only 1 authentication option in your program to authenticate.

      SELinux is a type of MAC architecture for Linux. It enforces the actual security on objects based on their policy, defined separately from
  • and Microsoft Windows has its own way of providing finer rights to its resources, Linux had to put up with the simple but crude user rights known in tech speak as discretionary access control to control user access of files.

    A small point, but the access control in Windows is also called "discretionary". They are different models, but they are both discretionary.

    One way of thinking about this is that mandatory means "access controlled by a mandatory policy" and discretionary means "access controlled at t

  • It's a shame that MAC also refers to Mandatory Access Controls. MAC already means Media Access Control, as in MAC Address. And when I ask someone to tell me their MAC address so I can register them on the network, they sometimes say that they have a PC not a Mac, so it already has at least two IT meanings. What with the new meaning of KVM, it's all getting a bit confusing.
  • I will never ever use SELinux. I've had two very bad experiences with it. As far as I'm concerned I'll take malware over it.

    First problem. I had a shiny new install of FC3. I try to get apache to start serving webpages. It only works in one directory. The folks at fedoraforum.org were useless as usual. A couple of posts on an apache email list had me remove the php, apache, and mysql rpms and reinstall from source. After a week of nothing working, I finally stumbled upon some vague reference about S
    • I have FC6 installed. Just disable SELinux on the first boot configuration (this will trigger another reboot). I have had no problems since then. My first install of FC6 I disabled SELinux after the box was up via the config file and rebooted. Rebooting failed with (what else) a SELinux warning which halted the machine mid boot.
  • Hi,

    If you think SELinux is too much/heavy for you, you might be interested in TOMOYO Linux. I'm so sure that most of you never heard of "TOMOYO Linux", so I'll explain briefly. "TOMOYO Linux is a project started and actively maintained by the Japanese SI company, NTT DATA CORPORATION to provide a Mandatory Access Controls mechanism in Linux."

    In short, TOMOYO Linux is quite similar to AppArmor and has been available at SourceForge.jp under GPL license since Nov. 2005.

    TOMOYO Linux Project [sourceforge.jp]

    The project

After all is said and done, a hell of a lot more is said than done.

Working...