Bibliographic record and links to related information available from the Library of Congress catalog.
Note: Contents data are machine generated based on pre-publication provided by the publisher. Contents may have variations from the printed book or be incomplete or contain other coding.
Chapter 1 Background The Inevitability of Software Failure The Evolution of Access Control Security in Operating Systems The Reference Monitor Concept and Standard Linux Access Control The Problem with Discretionary Access Control The Origins of Mandatory Access Control A Better Form of Mandatory Access Control The Evolution of SELinux Summary Exercises Chapter 2 Concepts Security Contexts for Type Enforcement Comparing SELinux with Standard Linux More on Security Contexts Type Enforcement Access Control Type Enforcement by Example The Problem of Domain Transitions Review of SetUID Programs in Standard Linux Security Domain Transitions Default Domain Transitions: type_transition Statement The Role of Roles Multilevel Security in SELinux SELinux Features Familiarization Revisiting the Passwd Example Perusing the Policy File Summary Exercises Chapter 3 Architecture The Kernel Architecture LSM Framework SELinux LSM Module User-space Object Managers Kernel Support for User-space Object Managers Policy Server Architecture SELinux Policy Language The Native SELinux Policy Language Compiler Source Policy Modules in a Monolithic Policy Loadable Policy Modules Building and Installing Monolithic Policies Summary Exercises Chapter 4 Object Classes and Permissions Purpose of Object Classes in SELinux Defining Object Classes in SELinux Policy Declaring Object Classes Declaring and Associating Object Class Permissions Common Permissions Associating Permissions With Object Classes Available Object Classes File-Related Object Classes Network-Related Object Classes System V IPC Object Classes Miscellaneous Object Classes Object Class Permission Examples File Object Class Permissions Standard Linux Permissions Extensions to the Standard Linux Access Control SELinux Specific Permissions Process Object Class Permissions Process Creation Process Domain Type Transition File Creation Process Signaling Process Attributes Executing Writable Memory Exploring Object Classes with Apol Summary Exercises Chapter 5 Type Enforcement Type Enforcement Types, Attributes, and Aliases Declaring Types Types and Attributes Associating Types and Attributes Aliases Access Vector Rules Common AV Rule Syntax AV Rule Keys Using Attributes in AV Rules Multiple Types and Attributes in AV Rules The Special Type self The Negation Special Operator Specifying Object Classes and Permissions in AV Rules Special Permission Operators for AV Rules Allow Rules Audit Rules Neverallow Rules Type Rules Common Type Rule Syntax Type Transition Rules Default Domain Transitions Default Object Transitions Type Change Rules Exploring Type Enforcement Rules with Apol Summary Exercises Chapter 6 Roles and Users Role-based Access Control in SELinux Overview of RBAC in SELinux Managing User Privileges with Roles Users and Roles in Object Security Contexts Roles and Role Statements Role Declaration Statement Role Allow Rules Role Transition Rules Role Dominance Statement Users and User Statements Declaring Users and Associating Roles Mapping Linux Users to SELinux Users Exploring Roles and Users with Apol Summary Exercises Chapter 7 Constraints Closer Look at the Access Decision Algorithm Constrain Statement Label Transition Constraints Summary Exercises Chapter 8 Multilevel Security Multilevel Security Constraints Security Contexts with MLS Defining Security Levels MLS Extensions to Security Contexts MLS Constraints mlsconstrain Statement mlsvalidatetrans Statement Other Impacts of MLS Summary Exercises Chapter 9 Conditional Policies Overview of Conditional Policies Boolean Variables Defining Boolean Variables Managing Booleans in a Running System Persistent Changes to Boolean Values Conditional Statements Conditional Expressions and Rule Lists Conditional Statement Limitations Supported Statements Nesting Conditional Statements Examining Booleans and Conditional Policies with Apol Summary Exercises Chapter 10 Object Labeling Introduction to Object Labeling File-Related Object Labeling Extended Attribute Filesystems (fs_use_xattr) Labeling Behavior for Extended Attribute Filesystems Managing Security Contexts in Extended Attribute Filesystems (File Contexts) Task-based Filesystems (fs_use_task) Transition-based Filesystems (fs_use_trans) Generalized Security Context Labeling (genfscon) Fine-grained Labeling with genfscon Statement Legacy Filesystem Labeling with genfscon Statement Network and Socket Object Labeling Network Interface Labeling (netifcon) Network Node Labeling (nodecon) Network Port Labeling (portcon) Socket Labeling System V IPC Miscellaneous Object Labeling Capability Object Labeling Process Object Labeling System and Security Object Labeling Initial Security Identifiers Exploring Object Labeling with Apol Summary Exercises Chapter 11 Original Example Policy Methods for Managing the Build Process Strict Example Policy Overview of Policy Source File Structure Object Class and Permission Definitions Domains Types and Policy Rules Unaffiliated Resource Types Miscellaneous Top-level Files and Directories Security Context Labeling Application Configuration Files Examining an Example Policy Module Defining Types for a Domain Specifying Domain Transition Rules Conditional Policy Example Network and Other Access for Ping Audit Rules File Security Contexts Labeling Build Options for Strict Example Policy Configuring Policy Modules Enabling Optional MLS Features Build-time Tunables Targeted Example Policy Summary Exercises Chapter 12 Reference Policy Goals of the Reference Policy Overview of Policy Source File Structure Build and Support Files Core Policy Files Design Principles Layering Modularity Encapsulation Abstraction Module Files Interfaces Examining a Reference Policy Module Build Options for Reference Policy The build.conf File The modules.conf File Summary Exercises Chapter 13 Managing an SELinux System SELinux Configuration and Policy Management Files The SELinux Configuration File (/etc/selinux/config) The Policy Directories Installed Booleans Files Application and File Security Contexts SELinux User Definitions The SELinux Filesystem Impacts of SELinux on System Administration Managing Users Adding an Ordinary Unprivileged User Adding a Privileged User Account Changing a User Role Understanding Audit Messages General SELinux Audit Messages AVC Messages Using Seaudit to View Audit Logs Fixing Problems: File-related Object Labeling File-related Object Labeling Commands Automatic Relabeling Managing Multiple Policies Summary Exercises Chapter 14 Writing Policy Modules Overview of Writing a Policy Module Preparation and Planning Gathering Application Information Creating a Test Environment Specifying Security Goals Creating an Initial Policy Module Creating Policy Module Files Example Policy Reference Policy Declaring Types Example Policy Reference Policy Allowing Initial Restrictive Access Example Policy Reference Policy Allowing Domain Transitions and Authorizing Roles Example Policy Reference Policy Integrating into the System Policy Example Policy Reference Policy Creating the Labeling Policy Example Policy Reference Policy Applying the Policy Testing and Analyzing the Policy Testing the Policy Module Evaluating Audit Messages and Allowing Additional Access Adding Additional Access in the Example Policy Adding Additional Access in the Reference Policy Testing the Additional Access Policy Analysis Emerging Policy Development Tools Complete IRC Daemon Module Listings Summary Appendix A Obtaining SELinux Sample Policies Example Policy Example Policy from Upstream SELinux Sites Strict and Targeted Policies for Fedora Core 4 Red Hat Enterprise Linux 4 (RHEL4) Fedora Core Experimental and Test Policies Reference Policy Primary Reference Policy Red Hat?s Fedora Core 5 Reference Policy Appendix B Participation and Further Information The SELinux Mail List The Annual SELinux Symposium The NSA Tresys Technology Open Source Projects The SELinux IRC Channel The Fedora Core Site Hardened Gentoo Other Related Security Information Appendix C Object Classes and Permissions Common Permission Sets Object Classes and Defined Permission Sets File-related Object Classes Network and Socket Object Classes System V IPC related Object Classes Miscellaneous Object Classes Appendix D SELinux Commands and Utilities System Utilities Policy Tools SELinux Status Information Security Context Labeling Security Context Changing Utilities SELinux Modified Commands Policy Module Manual Pages SETools Suite Other SELinux Tools
Library of Congress Subject Headings for this publication:
Operating systems (Computers).
Computer networks -- Security measures.