SELinux System Administration - Third Edition: Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux
Gespeichert in:
| 1. Verfasser: | |
|---|---|
| Format: | Elektronisch E-Book |
| Sprache: | English |
| Veröffentlicht: |
Birmingham
Packt Publishing, Limited
2020
|
| Ausgabe: | 3rd ed |
| Schlagworte: | |
| Beschreibung: | Description based on publisher supplied metadata and other sources |
| Beschreibung: | 1 Online-Ressource (459 Seiten) |
| ISBN: | 9781800208537 |
Internformat
MARC
| LEADER | 00000nmm a2200000zc 4500 | ||
|---|---|---|---|
| 001 | BV047698118 | ||
| 003 | DE-604 | ||
| 005 | 00000000000000.0 | ||
| 007 | cr|uuu---uuuuu | ||
| 008 | 220120s2020 |||| o||u| ||||||eng d | ||
| 020 | |a 9781800208537 |9 978-1-80020-853-7 | ||
| 035 | |a (ZDB-30-PQE)EBC6406419 | ||
| 035 | |a (ZDB-30-PAD)EBC6406419 | ||
| 035 | |a (ZDB-89-EBL)EBL6406419 | ||
| 035 | |a (OCoLC)1224364058 | ||
| 035 | |a (DE-599)BVBBV047698118 | ||
| 040 | |a DE-604 |b ger |e rda | ||
| 041 | 0 | |a eng | |
| 082 | 0 | |a 340.58 | |
| 100 | 1 | |a Vermeulen, Sven |e Verfasser |4 aut | |
| 245 | 1 | 0 | |a SELinux System Administration - Third Edition |b Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| 250 | |a 3rd ed | ||
| 264 | 1 | |a Birmingham |b Packt Publishing, Limited |c 2020 | |
| 264 | 4 | |c ©2020 | |
| 300 | |a 1 Online-Ressource (459 Seiten) | ||
| 336 | |b txt |2 rdacontent | ||
| 337 | |b c |2 rdamedia | ||
| 338 | |b cr |2 rdacarrier | ||
| 500 | |a Description based on publisher supplied metadata and other sources | ||
| 505 | 8 | |a Cover -- Title Page -- Copyright and Credits -- About Packt -- Contributors -- Table of Contents -- Preface -- Section 1: Using SELinux -- Chapter 1: Fundamental SELinux Concepts -- Technical requirements -- Providing more security for Linux -- Introducing Linux Security Modules (LSM) -- Extending regular DAC with SELinux -- Restricting root privileges -- Reducing the impact of vulnerabilities -- Enabling SELinux support -- Labeling all resources and objects -- Dissecting the SELinux context -- Enforcing access through types -- Granting domain access through roles -- Limiting roles through users -- Controlling information flow through sensitivities -- Defining and distributing policies -- Writing SELinux policies -- Distributing policies through modules -- Bundling modules in a policy store -- Distinguishing between policies -- Supporting MLS -- Dealing with unknown permissions -- Supporting unconfined domains -- Limiting cross-user sharing -- Incrementing policy versions -- Different policy content -- Summary -- Questions -- Chapter 2: Understanding SELinux Decisions and Logging -- Technical requirements -- Switching SELinux on and off -- Setting the global SELinux state -- Switching to permissive or enforcing mode -- Using kernel boot parameters -- Disabling SELinux protections for a single service -- Understanding SELinux-aware applications -- SELinux logging and auditing -- Following audit events -- Tuning the AVC -- Uncovering more logging -- Configuring Linux auditing -- Configuring the local system logger -- Reading SELinux denials -- Other SELinux-related event types -- Using ausearch -- Getting help with denials -- Troubleshooting with setroubleshoot -- Sending emails when SELinux denials occur -- Using audit2why -- Interacting with systemd-journal -- Using common sense -- Summary -- Questions -- Chapter 3: Managing User Logins | |
| 505 | 8 | |a Technical requirements -- User-oriented SELinux contexts -- SELinux users and roles -- Listing SELinux user mappings -- Mapping logins to SELinux users -- Customizing logins for services -- Creating SELinux users -- Listing accessible domains -- Managing categories -- Handling SELinux roles -- Defining allowed SELinux contexts -- Validating contexts with getseuser -- Switching roles with newrole -- Managing role access through sudo -- Reaching other domains using runcon -- Switching to the system role -- SELinux and PAM -- Assigning contexts through PAM -- Prohibiting access during permissive mode -- Polyinstantiating directories -- Summary -- Questions -- Chapter 4: Using File Contexts and Process Domains -- Technical requirements -- Introduction to SELinux file contexts -- Getting context information -- Interpreting SELinux context types -- Keeping or ignoring contexts -- Inheriting the default contexts -- Querying transition rules -- Copying and moving files -- Temporarily changing file contexts -- Placing categories on files and directories -- Using multilevel security on files -- Backing up and restoring extended attributes -- Using mount options to set SELinux contexts -- SELinux file context expressions -- Using context expressions -- Registering file context changes -- Optimizing recursive context operations -- Using customizable types -- Compiling the different file_contexts files -- Exchanging local modifications -- Modifying file contexts -- Using setfiles, rlpkg, and fixfiles -- Relabeling the entire filesystem -- Automatically setting context with restorecond -- Setting SELinux context at boot with tmpfiles -- The context of a process -- Getting a process context -- Transitioning toward a domain -- Verifying a target context -- Other supported transitions -- Querying initial contexts -- Tweaking memory protections | |
| 505 | 8 | |a Limiting the scope of transitions -- Sanitizing environments on transition -- Disabling unconstrained transitions -- Using Linux's NO_NEW_PRIVS -- Types, permissions, and constraints -- Understanding type attributes -- Querying domain permissions -- Learning about constraints -- Summary -- Questions -- Chapter 5: Controlling Network Communications -- Technical requirements -- Controlling process communications -- Using shared memory -- Communicating locally through pipes -- Conversing over UNIX domain sockets -- Understanding netlink sockets -- Dealing with TCP, UDP, and SCTP sockets -- Listing connection contexts -- Linux firewalling and SECMARK support -- Introducing netfilter -- Implementing security markings -- Assigning labels to packets -- Transitioning to nftables -- Assessing eBPF -- Securing high-speed InfiniBand networks -- Directly accessing memory -- Protecting InfiniBand networks -- Managing the InfiniBand subnet -- Controlling access to InfiniBand partitions -- Understanding labeled networking -- Fallback labeling with NetLabel -- Limiting flows based on the network interface -- Accepting peer communication from selected hosts -- Verifying peer-to-peer flow -- Using old-style controls -- Using labeled IPsec with SELinux -- Setting up regular IPsec -- Enabling labeled IPsec -- Supporting CIPSO with NetLabel and SELinux -- Configuring CIPSO mappings -- Adding domain-specific mappings -- Using local CIPSO definitions -- Supporting IPv6 CALIPSO -- Summary -- Questions -- Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration -- Technical requirements -- Introducing the target settings and policies -- The idempotency of actions -- Policy and state management -- SELinux configuration settings -- Setting file contexts -- Recovering from mistakes -- Comparing frameworks -- Using Ansible for SELinux system administration | |
| 505 | 8 | |a How Ansible works -- Installing and configuring Ansible -- Creating and testing the Ansible role -- Assigning SELinux contexts to filesystem resources with Ansible -- Loading custom SELinux policies with Ansible -- Using Ansible's out-of-the-box SELinux support -- Utilizing SaltStack to configure SELinux -- How SaltStack works -- Installing and configuring SaltStack -- Creating and testing our SELinux state with SaltStack -- Assigning SELinux contexts to filesystem resources with SaltStack -- Loading custom SELinux policies with SaltStack -- Using SaltStack's out-of-the-box SELinux support -- Automating system management with Puppet -- How Puppet works -- Installing and configuring Puppet -- Creating and testing the SELinux class with Puppet -- Assigning SELinux contexts to filesystem resources with Puppet -- Loading custom SELinux policies with Puppet -- Using Puppet's out-of-the-box SELinux support -- Wielding Chef for system automation -- How Chef works -- Installing and configuring Chef -- Creating the SELinux cookbook -- Assigning SELinux contexts to filesystem resources with Chef -- Loading custom SELinux policies with Chef -- Using Chef's out-of-the-box SELinux support -- Summary -- Questions -- Section 2: SELinux-Aware Platforms -- Chapter 7: Configuring Application-Specific SELinux Controls -- Technical requirements -- Tuning systemd services, logging, and device management -- Service support in systemd -- Logging with systemd -- Handling device files -- Communicating over D-Bus -- Understanding D-Bus -- Controlling service acquisition with SELinux -- Governing message flows -- Configuring PAM services -- Cockpit -- Cron -- OpenSSH -- Using mod_selinux with Apache -- Introducing mod_selinux -- Configuring the general Apache SELinux sensitivity -- Mapping end users to specific domains -- Changing domains based on source -- Summary | |
| 505 | 8 | |a Questions -- Chapter 8: SEPostgreSQL - Extending PostgreSQL with SELinux -- Technical requirements -- Introducing PostgreSQL and sepgsql -- Reconfiguring PostgreSQL with sepgsql -- Creating a test account -- Tuning sepgsql inside PostgreSQL -- Troubleshooting sepgsql -- Understanding SELinux's database-specific object classes and permissions -- Understanding sepgsql permissions -- Using the default supported types -- Creating trusted procedures -- Using sepgsql-specific functions -- Using MCS and MLS -- Limiting access to columns based on categories -- Constraining the user domain for sensitivity range manipulation -- Integrating SEPostgreSQL into the network -- Creating a fallback label for remote sessions -- Tuning the SELinux policy -- Summary -- Questions -- Chapter 9: Secure Virtualization -- Technical requirements -- Understanding SELinux-secured virtualization -- Introducing virtualization -- Reviewing the risks of virtualization -- Reusing existing virtualization domains -- Fine-tuning virtualization-supporting SELinux policy -- Understanding sVirt's use of MCS -- Enhancing libvirt with SELinux support -- Differentiating between shared and dedicated resources -- Assessing the libvirt architecture -- Configuring libvirt for sVirt -- Changing a guest's SELinux labels -- Customizing resource labels -- Controlling available categories -- Changing the storage pool locations -- Using Vagrant with libvirt -- Deploying Vagrant and the libvirt plugin -- Installing a libvirt-compatible box -- Configuring Vagrant boxes -- Summary -- Questions -- Chapter 10: Using Xen Security Modules with FLASK -- Technical requirements -- Understanding Xen and XSM -- Introducing the Xen hypervisor -- Installing Xen -- Creating an unprivileged guest -- Understanding Xen Security Modules -- Running XSM-enabled Xen -- Rebuilding Xen with XSM support -- Using XSM labels | |
| 505 | 8 | |a Manipulating XSM. | |
| 650 | 4 | |a Computers-System Administration-Linux & UNIX Administration.. | |
| 650 | 4 | |a Operating systems (Computers)-Linux | |
| 776 | 0 | 8 | |i Erscheint auch als |n Druck-Ausgabe |a Vermeulen, Sven |t SELinux System Administration - Third Edition |d Birmingham : Packt Publishing, Limited,c2020 |
| 912 | |a ZDB-30-PQE | ||
| 999 | |a oai:aleph.bib-bvb.de:BVB01-033082083 | ||
Datensatz im Suchindex
| _version_ | 1804183186221039616 |
|---|---|
| adam_txt | |
| any_adam_object | |
| any_adam_object_boolean | |
| author | Vermeulen, Sven |
| author_facet | Vermeulen, Sven |
| author_role | aut |
| author_sort | Vermeulen, Sven |
| author_variant | s v sv |
| building | Verbundindex |
| bvnumber | BV047698118 |
| collection | ZDB-30-PQE |
| contents | Cover -- Title Page -- Copyright and Credits -- About Packt -- Contributors -- Table of Contents -- Preface -- Section 1: Using SELinux -- Chapter 1: Fundamental SELinux Concepts -- Technical requirements -- Providing more security for Linux -- Introducing Linux Security Modules (LSM) -- Extending regular DAC with SELinux -- Restricting root privileges -- Reducing the impact of vulnerabilities -- Enabling SELinux support -- Labeling all resources and objects -- Dissecting the SELinux context -- Enforcing access through types -- Granting domain access through roles -- Limiting roles through users -- Controlling information flow through sensitivities -- Defining and distributing policies -- Writing SELinux policies -- Distributing policies through modules -- Bundling modules in a policy store -- Distinguishing between policies -- Supporting MLS -- Dealing with unknown permissions -- Supporting unconfined domains -- Limiting cross-user sharing -- Incrementing policy versions -- Different policy content -- Summary -- Questions -- Chapter 2: Understanding SELinux Decisions and Logging -- Technical requirements -- Switching SELinux on and off -- Setting the global SELinux state -- Switching to permissive or enforcing mode -- Using kernel boot parameters -- Disabling SELinux protections for a single service -- Understanding SELinux-aware applications -- SELinux logging and auditing -- Following audit events -- Tuning the AVC -- Uncovering more logging -- Configuring Linux auditing -- Configuring the local system logger -- Reading SELinux denials -- Other SELinux-related event types -- Using ausearch -- Getting help with denials -- Troubleshooting with setroubleshoot -- Sending emails when SELinux denials occur -- Using audit2why -- Interacting with systemd-journal -- Using common sense -- Summary -- Questions -- Chapter 3: Managing User Logins Technical requirements -- User-oriented SELinux contexts -- SELinux users and roles -- Listing SELinux user mappings -- Mapping logins to SELinux users -- Customizing logins for services -- Creating SELinux users -- Listing accessible domains -- Managing categories -- Handling SELinux roles -- Defining allowed SELinux contexts -- Validating contexts with getseuser -- Switching roles with newrole -- Managing role access through sudo -- Reaching other domains using runcon -- Switching to the system role -- SELinux and PAM -- Assigning contexts through PAM -- Prohibiting access during permissive mode -- Polyinstantiating directories -- Summary -- Questions -- Chapter 4: Using File Contexts and Process Domains -- Technical requirements -- Introduction to SELinux file contexts -- Getting context information -- Interpreting SELinux context types -- Keeping or ignoring contexts -- Inheriting the default contexts -- Querying transition rules -- Copying and moving files -- Temporarily changing file contexts -- Placing categories on files and directories -- Using multilevel security on files -- Backing up and restoring extended attributes -- Using mount options to set SELinux contexts -- SELinux file context expressions -- Using context expressions -- Registering file context changes -- Optimizing recursive context operations -- Using customizable types -- Compiling the different file_contexts files -- Exchanging local modifications -- Modifying file contexts -- Using setfiles, rlpkg, and fixfiles -- Relabeling the entire filesystem -- Automatically setting context with restorecond -- Setting SELinux context at boot with tmpfiles -- The context of a process -- Getting a process context -- Transitioning toward a domain -- Verifying a target context -- Other supported transitions -- Querying initial contexts -- Tweaking memory protections Limiting the scope of transitions -- Sanitizing environments on transition -- Disabling unconstrained transitions -- Using Linux's NO_NEW_PRIVS -- Types, permissions, and constraints -- Understanding type attributes -- Querying domain permissions -- Learning about constraints -- Summary -- Questions -- Chapter 5: Controlling Network Communications -- Technical requirements -- Controlling process communications -- Using shared memory -- Communicating locally through pipes -- Conversing over UNIX domain sockets -- Understanding netlink sockets -- Dealing with TCP, UDP, and SCTP sockets -- Listing connection contexts -- Linux firewalling and SECMARK support -- Introducing netfilter -- Implementing security markings -- Assigning labels to packets -- Transitioning to nftables -- Assessing eBPF -- Securing high-speed InfiniBand networks -- Directly accessing memory -- Protecting InfiniBand networks -- Managing the InfiniBand subnet -- Controlling access to InfiniBand partitions -- Understanding labeled networking -- Fallback labeling with NetLabel -- Limiting flows based on the network interface -- Accepting peer communication from selected hosts -- Verifying peer-to-peer flow -- Using old-style controls -- Using labeled IPsec with SELinux -- Setting up regular IPsec -- Enabling labeled IPsec -- Supporting CIPSO with NetLabel and SELinux -- Configuring CIPSO mappings -- Adding domain-specific mappings -- Using local CIPSO definitions -- Supporting IPv6 CALIPSO -- Summary -- Questions -- Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration -- Technical requirements -- Introducing the target settings and policies -- The idempotency of actions -- Policy and state management -- SELinux configuration settings -- Setting file contexts -- Recovering from mistakes -- Comparing frameworks -- Using Ansible for SELinux system administration How Ansible works -- Installing and configuring Ansible -- Creating and testing the Ansible role -- Assigning SELinux contexts to filesystem resources with Ansible -- Loading custom SELinux policies with Ansible -- Using Ansible's out-of-the-box SELinux support -- Utilizing SaltStack to configure SELinux -- How SaltStack works -- Installing and configuring SaltStack -- Creating and testing our SELinux state with SaltStack -- Assigning SELinux contexts to filesystem resources with SaltStack -- Loading custom SELinux policies with SaltStack -- Using SaltStack's out-of-the-box SELinux support -- Automating system management with Puppet -- How Puppet works -- Installing and configuring Puppet -- Creating and testing the SELinux class with Puppet -- Assigning SELinux contexts to filesystem resources with Puppet -- Loading custom SELinux policies with Puppet -- Using Puppet's out-of-the-box SELinux support -- Wielding Chef for system automation -- How Chef works -- Installing and configuring Chef -- Creating the SELinux cookbook -- Assigning SELinux contexts to filesystem resources with Chef -- Loading custom SELinux policies with Chef -- Using Chef's out-of-the-box SELinux support -- Summary -- Questions -- Section 2: SELinux-Aware Platforms -- Chapter 7: Configuring Application-Specific SELinux Controls -- Technical requirements -- Tuning systemd services, logging, and device management -- Service support in systemd -- Logging with systemd -- Handling device files -- Communicating over D-Bus -- Understanding D-Bus -- Controlling service acquisition with SELinux -- Governing message flows -- Configuring PAM services -- Cockpit -- Cron -- OpenSSH -- Using mod_selinux with Apache -- Introducing mod_selinux -- Configuring the general Apache SELinux sensitivity -- Mapping end users to specific domains -- Changing domains based on source -- Summary Questions -- Chapter 8: SEPostgreSQL - Extending PostgreSQL with SELinux -- Technical requirements -- Introducing PostgreSQL and sepgsql -- Reconfiguring PostgreSQL with sepgsql -- Creating a test account -- Tuning sepgsql inside PostgreSQL -- Troubleshooting sepgsql -- Understanding SELinux's database-specific object classes and permissions -- Understanding sepgsql permissions -- Using the default supported types -- Creating trusted procedures -- Using sepgsql-specific functions -- Using MCS and MLS -- Limiting access to columns based on categories -- Constraining the user domain for sensitivity range manipulation -- Integrating SEPostgreSQL into the network -- Creating a fallback label for remote sessions -- Tuning the SELinux policy -- Summary -- Questions -- Chapter 9: Secure Virtualization -- Technical requirements -- Understanding SELinux-secured virtualization -- Introducing virtualization -- Reviewing the risks of virtualization -- Reusing existing virtualization domains -- Fine-tuning virtualization-supporting SELinux policy -- Understanding sVirt's use of MCS -- Enhancing libvirt with SELinux support -- Differentiating between shared and dedicated resources -- Assessing the libvirt architecture -- Configuring libvirt for sVirt -- Changing a guest's SELinux labels -- Customizing resource labels -- Controlling available categories -- Changing the storage pool locations -- Using Vagrant with libvirt -- Deploying Vagrant and the libvirt plugin -- Installing a libvirt-compatible box -- Configuring Vagrant boxes -- Summary -- Questions -- Chapter 10: Using Xen Security Modules with FLASK -- Technical requirements -- Understanding Xen and XSM -- Introducing the Xen hypervisor -- Installing Xen -- Creating an unprivileged guest -- Understanding Xen Security Modules -- Running XSM-enabled Xen -- Rebuilding Xen with XSM support -- Using XSM labels Manipulating XSM. |
| ctrlnum | (ZDB-30-PQE)EBC6406419 (ZDB-30-PAD)EBC6406419 (ZDB-89-EBL)EBL6406419 (OCoLC)1224364058 (DE-599)BVBBV047698118 |
| dewey-full | 340.58 |
| dewey-hundreds | 300 - Social sciences |
| dewey-ones | 340 - Law |
| dewey-raw | 340.58 |
| dewey-search | 340.58 |
| dewey-sort | 3340.58 |
| dewey-tens | 340 - Law |
| discipline | Rechtswissenschaft |
| discipline_str_mv | Rechtswissenschaft |
| edition | 3rd ed |
| format | Electronic eBook |
| fullrecord | <?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>10871nmm a2200445zc 4500</leader><controlfield tag="001">BV047698118</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">00000000000000.0</controlfield><controlfield tag="007">cr|uuu---uuuuu</controlfield><controlfield tag="008">220120s2020 |||| o||u| ||||||eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781800208537</subfield><subfield code="9">978-1-80020-853-7</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(ZDB-30-PQE)EBC6406419</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(ZDB-30-PAD)EBC6406419</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(ZDB-89-EBL)EBL6406419</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)1224364058</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV047698118</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rda</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">340.58</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Vermeulen, Sven</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">SELinux System Administration - Third Edition</subfield><subfield code="b">Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux</subfield></datafield><datafield tag="250" ind1=" " ind2=" "><subfield code="a">3rd ed</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Birmingham</subfield><subfield code="b">Packt Publishing, Limited</subfield><subfield code="c">2020</subfield></datafield><datafield tag="264" ind1=" " ind2="4"><subfield code="c">©2020</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">1 Online-Ressource (459 Seiten)</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">c</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">cr</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="500" ind1=" " ind2=" "><subfield code="a">Description based on publisher supplied metadata and other sources</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Cover -- Title Page -- Copyright and Credits -- About Packt -- Contributors -- Table of Contents -- Preface -- Section 1: Using SELinux -- Chapter 1: Fundamental SELinux Concepts -- Technical requirements -- Providing more security for Linux -- Introducing Linux Security Modules (LSM) -- Extending regular DAC with SELinux -- Restricting root privileges -- Reducing the impact of vulnerabilities -- Enabling SELinux support -- Labeling all resources and objects -- Dissecting the SELinux context -- Enforcing access through types -- Granting domain access through roles -- Limiting roles through users -- Controlling information flow through sensitivities -- Defining and distributing policies -- Writing SELinux policies -- Distributing policies through modules -- Bundling modules in a policy store -- Distinguishing between policies -- Supporting MLS -- Dealing with unknown permissions -- Supporting unconfined domains -- Limiting cross-user sharing -- Incrementing policy versions -- Different policy content -- Summary -- Questions -- Chapter 2: Understanding SELinux Decisions and Logging -- Technical requirements -- Switching SELinux on and off -- Setting the global SELinux state -- Switching to permissive or enforcing mode -- Using kernel boot parameters -- Disabling SELinux protections for a single service -- Understanding SELinux-aware applications -- SELinux logging and auditing -- Following audit events -- Tuning the AVC -- Uncovering more logging -- Configuring Linux auditing -- Configuring the local system logger -- Reading SELinux denials -- Other SELinux-related event types -- Using ausearch -- Getting help with denials -- Troubleshooting with setroubleshoot -- Sending emails when SELinux denials occur -- Using audit2why -- Interacting with systemd-journal -- Using common sense -- Summary -- Questions -- Chapter 3: Managing User Logins</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Technical requirements -- User-oriented SELinux contexts -- SELinux users and roles -- Listing SELinux user mappings -- Mapping logins to SELinux users -- Customizing logins for services -- Creating SELinux users -- Listing accessible domains -- Managing categories -- Handling SELinux roles -- Defining allowed SELinux contexts -- Validating contexts with getseuser -- Switching roles with newrole -- Managing role access through sudo -- Reaching other domains using runcon -- Switching to the system role -- SELinux and PAM -- Assigning contexts through PAM -- Prohibiting access during permissive mode -- Polyinstantiating directories -- Summary -- Questions -- Chapter 4: Using File Contexts and Process Domains -- Technical requirements -- Introduction to SELinux file contexts -- Getting context information -- Interpreting SELinux context types -- Keeping or ignoring contexts -- Inheriting the default contexts -- Querying transition rules -- Copying and moving files -- Temporarily changing file contexts -- Placing categories on files and directories -- Using multilevel security on files -- Backing up and restoring extended attributes -- Using mount options to set SELinux contexts -- SELinux file context expressions -- Using context expressions -- Registering file context changes -- Optimizing recursive context operations -- Using customizable types -- Compiling the different file_contexts files -- Exchanging local modifications -- Modifying file contexts -- Using setfiles, rlpkg, and fixfiles -- Relabeling the entire filesystem -- Automatically setting context with restorecond -- Setting SELinux context at boot with tmpfiles -- The context of a process -- Getting a process context -- Transitioning toward a domain -- Verifying a target context -- Other supported transitions -- Querying initial contexts -- Tweaking memory protections</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Limiting the scope of transitions -- Sanitizing environments on transition -- Disabling unconstrained transitions -- Using Linux's NO_NEW_PRIVS -- Types, permissions, and constraints -- Understanding type attributes -- Querying domain permissions -- Learning about constraints -- Summary -- Questions -- Chapter 5: Controlling Network Communications -- Technical requirements -- Controlling process communications -- Using shared memory -- Communicating locally through pipes -- Conversing over UNIX domain sockets -- Understanding netlink sockets -- Dealing with TCP, UDP, and SCTP sockets -- Listing connection contexts -- Linux firewalling and SECMARK support -- Introducing netfilter -- Implementing security markings -- Assigning labels to packets -- Transitioning to nftables -- Assessing eBPF -- Securing high-speed InfiniBand networks -- Directly accessing memory -- Protecting InfiniBand networks -- Managing the InfiniBand subnet -- Controlling access to InfiniBand partitions -- Understanding labeled networking -- Fallback labeling with NetLabel -- Limiting flows based on the network interface -- Accepting peer communication from selected hosts -- Verifying peer-to-peer flow -- Using old-style controls -- Using labeled IPsec with SELinux -- Setting up regular IPsec -- Enabling labeled IPsec -- Supporting CIPSO with NetLabel and SELinux -- Configuring CIPSO mappings -- Adding domain-specific mappings -- Using local CIPSO definitions -- Supporting IPv6 CALIPSO -- Summary -- Questions -- Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration -- Technical requirements -- Introducing the target settings and policies -- The idempotency of actions -- Policy and state management -- SELinux configuration settings -- Setting file contexts -- Recovering from mistakes -- Comparing frameworks -- Using Ansible for SELinux system administration</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">How Ansible works -- Installing and configuring Ansible -- Creating and testing the Ansible role -- Assigning SELinux contexts to filesystem resources with Ansible -- Loading custom SELinux policies with Ansible -- Using Ansible's out-of-the-box SELinux support -- Utilizing SaltStack to configure SELinux -- How SaltStack works -- Installing and configuring SaltStack -- Creating and testing our SELinux state with SaltStack -- Assigning SELinux contexts to filesystem resources with SaltStack -- Loading custom SELinux policies with SaltStack -- Using SaltStack's out-of-the-box SELinux support -- Automating system management with Puppet -- How Puppet works -- Installing and configuring Puppet -- Creating and testing the SELinux class with Puppet -- Assigning SELinux contexts to filesystem resources with Puppet -- Loading custom SELinux policies with Puppet -- Using Puppet's out-of-the-box SELinux support -- Wielding Chef for system automation -- How Chef works -- Installing and configuring Chef -- Creating the SELinux cookbook -- Assigning SELinux contexts to filesystem resources with Chef -- Loading custom SELinux policies with Chef -- Using Chef's out-of-the-box SELinux support -- Summary -- Questions -- Section 2: SELinux-Aware Platforms -- Chapter 7: Configuring Application-Specific SELinux Controls -- Technical requirements -- Tuning systemd services, logging, and device management -- Service support in systemd -- Logging with systemd -- Handling device files -- Communicating over D-Bus -- Understanding D-Bus -- Controlling service acquisition with SELinux -- Governing message flows -- Configuring PAM services -- Cockpit -- Cron -- OpenSSH -- Using mod_selinux with Apache -- Introducing mod_selinux -- Configuring the general Apache SELinux sensitivity -- Mapping end users to specific domains -- Changing domains based on source -- Summary</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Questions -- Chapter 8: SEPostgreSQL - Extending PostgreSQL with SELinux -- Technical requirements -- Introducing PostgreSQL and sepgsql -- Reconfiguring PostgreSQL with sepgsql -- Creating a test account -- Tuning sepgsql inside PostgreSQL -- Troubleshooting sepgsql -- Understanding SELinux's database-specific object classes and permissions -- Understanding sepgsql permissions -- Using the default supported types -- Creating trusted procedures -- Using sepgsql-specific functions -- Using MCS and MLS -- Limiting access to columns based on categories -- Constraining the user domain for sensitivity range manipulation -- Integrating SEPostgreSQL into the network -- Creating a fallback label for remote sessions -- Tuning the SELinux policy -- Summary -- Questions -- Chapter 9: Secure Virtualization -- Technical requirements -- Understanding SELinux-secured virtualization -- Introducing virtualization -- Reviewing the risks of virtualization -- Reusing existing virtualization domains -- Fine-tuning virtualization-supporting SELinux policy -- Understanding sVirt's use of MCS -- Enhancing libvirt with SELinux support -- Differentiating between shared and dedicated resources -- Assessing the libvirt architecture -- Configuring libvirt for sVirt -- Changing a guest's SELinux labels -- Customizing resource labels -- Controlling available categories -- Changing the storage pool locations -- Using Vagrant with libvirt -- Deploying Vagrant and the libvirt plugin -- Installing a libvirt-compatible box -- Configuring Vagrant boxes -- Summary -- Questions -- Chapter 10: Using Xen Security Modules with FLASK -- Technical requirements -- Understanding Xen and XSM -- Introducing the Xen hypervisor -- Installing Xen -- Creating an unprivileged guest -- Understanding Xen Security Modules -- Running XSM-enabled Xen -- Rebuilding Xen with XSM support -- Using XSM labels</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Manipulating XSM.</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Computers-System Administration-Linux & UNIX Administration..</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Operating systems (Computers)-Linux</subfield></datafield><datafield tag="776" ind1="0" ind2="8"><subfield code="i">Erscheint auch als</subfield><subfield code="n">Druck-Ausgabe</subfield><subfield code="a">Vermeulen, Sven</subfield><subfield code="t">SELinux System Administration - Third Edition</subfield><subfield code="d">Birmingham : Packt Publishing, Limited,c2020</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">ZDB-30-PQE</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-033082083</subfield></datafield></record></collection> |
| id | DE-604.BV047698118 |
| illustrated | Not Illustrated |
| index_date | 2024-07-03T18:58:07Z |
| indexdate | 2024-07-10T09:19:26Z |
| institution | BVB |
| isbn | 9781800208537 |
| language | English |
| oai_aleph_id | oai:aleph.bib-bvb.de:BVB01-033082083 |
| oclc_num | 1224364058 |
| open_access_boolean | |
| physical | 1 Online-Ressource (459 Seiten) |
| psigel | ZDB-30-PQE |
| publishDate | 2020 |
| publishDateSearch | 2020 |
| publishDateSort | 2020 |
| publisher | Packt Publishing, Limited |
| record_format | marc |
| spelling | Vermeulen, Sven Verfasser aut SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux 3rd ed Birmingham Packt Publishing, Limited 2020 ©2020 1 Online-Ressource (459 Seiten) txt rdacontent c rdamedia cr rdacarrier Description based on publisher supplied metadata and other sources Cover -- Title Page -- Copyright and Credits -- About Packt -- Contributors -- Table of Contents -- Preface -- Section 1: Using SELinux -- Chapter 1: Fundamental SELinux Concepts -- Technical requirements -- Providing more security for Linux -- Introducing Linux Security Modules (LSM) -- Extending regular DAC with SELinux -- Restricting root privileges -- Reducing the impact of vulnerabilities -- Enabling SELinux support -- Labeling all resources and objects -- Dissecting the SELinux context -- Enforcing access through types -- Granting domain access through roles -- Limiting roles through users -- Controlling information flow through sensitivities -- Defining and distributing policies -- Writing SELinux policies -- Distributing policies through modules -- Bundling modules in a policy store -- Distinguishing between policies -- Supporting MLS -- Dealing with unknown permissions -- Supporting unconfined domains -- Limiting cross-user sharing -- Incrementing policy versions -- Different policy content -- Summary -- Questions -- Chapter 2: Understanding SELinux Decisions and Logging -- Technical requirements -- Switching SELinux on and off -- Setting the global SELinux state -- Switching to permissive or enforcing mode -- Using kernel boot parameters -- Disabling SELinux protections for a single service -- Understanding SELinux-aware applications -- SELinux logging and auditing -- Following audit events -- Tuning the AVC -- Uncovering more logging -- Configuring Linux auditing -- Configuring the local system logger -- Reading SELinux denials -- Other SELinux-related event types -- Using ausearch -- Getting help with denials -- Troubleshooting with setroubleshoot -- Sending emails when SELinux denials occur -- Using audit2why -- Interacting with systemd-journal -- Using common sense -- Summary -- Questions -- Chapter 3: Managing User Logins Technical requirements -- User-oriented SELinux contexts -- SELinux users and roles -- Listing SELinux user mappings -- Mapping logins to SELinux users -- Customizing logins for services -- Creating SELinux users -- Listing accessible domains -- Managing categories -- Handling SELinux roles -- Defining allowed SELinux contexts -- Validating contexts with getseuser -- Switching roles with newrole -- Managing role access through sudo -- Reaching other domains using runcon -- Switching to the system role -- SELinux and PAM -- Assigning contexts through PAM -- Prohibiting access during permissive mode -- Polyinstantiating directories -- Summary -- Questions -- Chapter 4: Using File Contexts and Process Domains -- Technical requirements -- Introduction to SELinux file contexts -- Getting context information -- Interpreting SELinux context types -- Keeping or ignoring contexts -- Inheriting the default contexts -- Querying transition rules -- Copying and moving files -- Temporarily changing file contexts -- Placing categories on files and directories -- Using multilevel security on files -- Backing up and restoring extended attributes -- Using mount options to set SELinux contexts -- SELinux file context expressions -- Using context expressions -- Registering file context changes -- Optimizing recursive context operations -- Using customizable types -- Compiling the different file_contexts files -- Exchanging local modifications -- Modifying file contexts -- Using setfiles, rlpkg, and fixfiles -- Relabeling the entire filesystem -- Automatically setting context with restorecond -- Setting SELinux context at boot with tmpfiles -- The context of a process -- Getting a process context -- Transitioning toward a domain -- Verifying a target context -- Other supported transitions -- Querying initial contexts -- Tweaking memory protections Limiting the scope of transitions -- Sanitizing environments on transition -- Disabling unconstrained transitions -- Using Linux's NO_NEW_PRIVS -- Types, permissions, and constraints -- Understanding type attributes -- Querying domain permissions -- Learning about constraints -- Summary -- Questions -- Chapter 5: Controlling Network Communications -- Technical requirements -- Controlling process communications -- Using shared memory -- Communicating locally through pipes -- Conversing over UNIX domain sockets -- Understanding netlink sockets -- Dealing with TCP, UDP, and SCTP sockets -- Listing connection contexts -- Linux firewalling and SECMARK support -- Introducing netfilter -- Implementing security markings -- Assigning labels to packets -- Transitioning to nftables -- Assessing eBPF -- Securing high-speed InfiniBand networks -- Directly accessing memory -- Protecting InfiniBand networks -- Managing the InfiniBand subnet -- Controlling access to InfiniBand partitions -- Understanding labeled networking -- Fallback labeling with NetLabel -- Limiting flows based on the network interface -- Accepting peer communication from selected hosts -- Verifying peer-to-peer flow -- Using old-style controls -- Using labeled IPsec with SELinux -- Setting up regular IPsec -- Enabling labeled IPsec -- Supporting CIPSO with NetLabel and SELinux -- Configuring CIPSO mappings -- Adding domain-specific mappings -- Using local CIPSO definitions -- Supporting IPv6 CALIPSO -- Summary -- Questions -- Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration -- Technical requirements -- Introducing the target settings and policies -- The idempotency of actions -- Policy and state management -- SELinux configuration settings -- Setting file contexts -- Recovering from mistakes -- Comparing frameworks -- Using Ansible for SELinux system administration How Ansible works -- Installing and configuring Ansible -- Creating and testing the Ansible role -- Assigning SELinux contexts to filesystem resources with Ansible -- Loading custom SELinux policies with Ansible -- Using Ansible's out-of-the-box SELinux support -- Utilizing SaltStack to configure SELinux -- How SaltStack works -- Installing and configuring SaltStack -- Creating and testing our SELinux state with SaltStack -- Assigning SELinux contexts to filesystem resources with SaltStack -- Loading custom SELinux policies with SaltStack -- Using SaltStack's out-of-the-box SELinux support -- Automating system management with Puppet -- How Puppet works -- Installing and configuring Puppet -- Creating and testing the SELinux class with Puppet -- Assigning SELinux contexts to filesystem resources with Puppet -- Loading custom SELinux policies with Puppet -- Using Puppet's out-of-the-box SELinux support -- Wielding Chef for system automation -- How Chef works -- Installing and configuring Chef -- Creating the SELinux cookbook -- Assigning SELinux contexts to filesystem resources with Chef -- Loading custom SELinux policies with Chef -- Using Chef's out-of-the-box SELinux support -- Summary -- Questions -- Section 2: SELinux-Aware Platforms -- Chapter 7: Configuring Application-Specific SELinux Controls -- Technical requirements -- Tuning systemd services, logging, and device management -- Service support in systemd -- Logging with systemd -- Handling device files -- Communicating over D-Bus -- Understanding D-Bus -- Controlling service acquisition with SELinux -- Governing message flows -- Configuring PAM services -- Cockpit -- Cron -- OpenSSH -- Using mod_selinux with Apache -- Introducing mod_selinux -- Configuring the general Apache SELinux sensitivity -- Mapping end users to specific domains -- Changing domains based on source -- Summary Questions -- Chapter 8: SEPostgreSQL - Extending PostgreSQL with SELinux -- Technical requirements -- Introducing PostgreSQL and sepgsql -- Reconfiguring PostgreSQL with sepgsql -- Creating a test account -- Tuning sepgsql inside PostgreSQL -- Troubleshooting sepgsql -- Understanding SELinux's database-specific object classes and permissions -- Understanding sepgsql permissions -- Using the default supported types -- Creating trusted procedures -- Using sepgsql-specific functions -- Using MCS and MLS -- Limiting access to columns based on categories -- Constraining the user domain for sensitivity range manipulation -- Integrating SEPostgreSQL into the network -- Creating a fallback label for remote sessions -- Tuning the SELinux policy -- Summary -- Questions -- Chapter 9: Secure Virtualization -- Technical requirements -- Understanding SELinux-secured virtualization -- Introducing virtualization -- Reviewing the risks of virtualization -- Reusing existing virtualization domains -- Fine-tuning virtualization-supporting SELinux policy -- Understanding sVirt's use of MCS -- Enhancing libvirt with SELinux support -- Differentiating between shared and dedicated resources -- Assessing the libvirt architecture -- Configuring libvirt for sVirt -- Changing a guest's SELinux labels -- Customizing resource labels -- Controlling available categories -- Changing the storage pool locations -- Using Vagrant with libvirt -- Deploying Vagrant and the libvirt plugin -- Installing a libvirt-compatible box -- Configuring Vagrant boxes -- Summary -- Questions -- Chapter 10: Using Xen Security Modules with FLASK -- Technical requirements -- Understanding Xen and XSM -- Introducing the Xen hypervisor -- Installing Xen -- Creating an unprivileged guest -- Understanding Xen Security Modules -- Running XSM-enabled Xen -- Rebuilding Xen with XSM support -- Using XSM labels Manipulating XSM. Computers-System Administration-Linux & UNIX Administration.. Operating systems (Computers)-Linux Erscheint auch als Druck-Ausgabe Vermeulen, Sven SELinux System Administration - Third Edition Birmingham : Packt Publishing, Limited,c2020 |
| spellingShingle | Vermeulen, Sven SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux Cover -- Title Page -- Copyright and Credits -- About Packt -- Contributors -- Table of Contents -- Preface -- Section 1: Using SELinux -- Chapter 1: Fundamental SELinux Concepts -- Technical requirements -- Providing more security for Linux -- Introducing Linux Security Modules (LSM) -- Extending regular DAC with SELinux -- Restricting root privileges -- Reducing the impact of vulnerabilities -- Enabling SELinux support -- Labeling all resources and objects -- Dissecting the SELinux context -- Enforcing access through types -- Granting domain access through roles -- Limiting roles through users -- Controlling information flow through sensitivities -- Defining and distributing policies -- Writing SELinux policies -- Distributing policies through modules -- Bundling modules in a policy store -- Distinguishing between policies -- Supporting MLS -- Dealing with unknown permissions -- Supporting unconfined domains -- Limiting cross-user sharing -- Incrementing policy versions -- Different policy content -- Summary -- Questions -- Chapter 2: Understanding SELinux Decisions and Logging -- Technical requirements -- Switching SELinux on and off -- Setting the global SELinux state -- Switching to permissive or enforcing mode -- Using kernel boot parameters -- Disabling SELinux protections for a single service -- Understanding SELinux-aware applications -- SELinux logging and auditing -- Following audit events -- Tuning the AVC -- Uncovering more logging -- Configuring Linux auditing -- Configuring the local system logger -- Reading SELinux denials -- Other SELinux-related event types -- Using ausearch -- Getting help with denials -- Troubleshooting with setroubleshoot -- Sending emails when SELinux denials occur -- Using audit2why -- Interacting with systemd-journal -- Using common sense -- Summary -- Questions -- Chapter 3: Managing User Logins Technical requirements -- User-oriented SELinux contexts -- SELinux users and roles -- Listing SELinux user mappings -- Mapping logins to SELinux users -- Customizing logins for services -- Creating SELinux users -- Listing accessible domains -- Managing categories -- Handling SELinux roles -- Defining allowed SELinux contexts -- Validating contexts with getseuser -- Switching roles with newrole -- Managing role access through sudo -- Reaching other domains using runcon -- Switching to the system role -- SELinux and PAM -- Assigning contexts through PAM -- Prohibiting access during permissive mode -- Polyinstantiating directories -- Summary -- Questions -- Chapter 4: Using File Contexts and Process Domains -- Technical requirements -- Introduction to SELinux file contexts -- Getting context information -- Interpreting SELinux context types -- Keeping or ignoring contexts -- Inheriting the default contexts -- Querying transition rules -- Copying and moving files -- Temporarily changing file contexts -- Placing categories on files and directories -- Using multilevel security on files -- Backing up and restoring extended attributes -- Using mount options to set SELinux contexts -- SELinux file context expressions -- Using context expressions -- Registering file context changes -- Optimizing recursive context operations -- Using customizable types -- Compiling the different file_contexts files -- Exchanging local modifications -- Modifying file contexts -- Using setfiles, rlpkg, and fixfiles -- Relabeling the entire filesystem -- Automatically setting context with restorecond -- Setting SELinux context at boot with tmpfiles -- The context of a process -- Getting a process context -- Transitioning toward a domain -- Verifying a target context -- Other supported transitions -- Querying initial contexts -- Tweaking memory protections Limiting the scope of transitions -- Sanitizing environments on transition -- Disabling unconstrained transitions -- Using Linux's NO_NEW_PRIVS -- Types, permissions, and constraints -- Understanding type attributes -- Querying domain permissions -- Learning about constraints -- Summary -- Questions -- Chapter 5: Controlling Network Communications -- Technical requirements -- Controlling process communications -- Using shared memory -- Communicating locally through pipes -- Conversing over UNIX domain sockets -- Understanding netlink sockets -- Dealing with TCP, UDP, and SCTP sockets -- Listing connection contexts -- Linux firewalling and SECMARK support -- Introducing netfilter -- Implementing security markings -- Assigning labels to packets -- Transitioning to nftables -- Assessing eBPF -- Securing high-speed InfiniBand networks -- Directly accessing memory -- Protecting InfiniBand networks -- Managing the InfiniBand subnet -- Controlling access to InfiniBand partitions -- Understanding labeled networking -- Fallback labeling with NetLabel -- Limiting flows based on the network interface -- Accepting peer communication from selected hosts -- Verifying peer-to-peer flow -- Using old-style controls -- Using labeled IPsec with SELinux -- Setting up regular IPsec -- Enabling labeled IPsec -- Supporting CIPSO with NetLabel and SELinux -- Configuring CIPSO mappings -- Adding domain-specific mappings -- Using local CIPSO definitions -- Supporting IPv6 CALIPSO -- Summary -- Questions -- Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration -- Technical requirements -- Introducing the target settings and policies -- The idempotency of actions -- Policy and state management -- SELinux configuration settings -- Setting file contexts -- Recovering from mistakes -- Comparing frameworks -- Using Ansible for SELinux system administration How Ansible works -- Installing and configuring Ansible -- Creating and testing the Ansible role -- Assigning SELinux contexts to filesystem resources with Ansible -- Loading custom SELinux policies with Ansible -- Using Ansible's out-of-the-box SELinux support -- Utilizing SaltStack to configure SELinux -- How SaltStack works -- Installing and configuring SaltStack -- Creating and testing our SELinux state with SaltStack -- Assigning SELinux contexts to filesystem resources with SaltStack -- Loading custom SELinux policies with SaltStack -- Using SaltStack's out-of-the-box SELinux support -- Automating system management with Puppet -- How Puppet works -- Installing and configuring Puppet -- Creating and testing the SELinux class with Puppet -- Assigning SELinux contexts to filesystem resources with Puppet -- Loading custom SELinux policies with Puppet -- Using Puppet's out-of-the-box SELinux support -- Wielding Chef for system automation -- How Chef works -- Installing and configuring Chef -- Creating the SELinux cookbook -- Assigning SELinux contexts to filesystem resources with Chef -- Loading custom SELinux policies with Chef -- Using Chef's out-of-the-box SELinux support -- Summary -- Questions -- Section 2: SELinux-Aware Platforms -- Chapter 7: Configuring Application-Specific SELinux Controls -- Technical requirements -- Tuning systemd services, logging, and device management -- Service support in systemd -- Logging with systemd -- Handling device files -- Communicating over D-Bus -- Understanding D-Bus -- Controlling service acquisition with SELinux -- Governing message flows -- Configuring PAM services -- Cockpit -- Cron -- OpenSSH -- Using mod_selinux with Apache -- Introducing mod_selinux -- Configuring the general Apache SELinux sensitivity -- Mapping end users to specific domains -- Changing domains based on source -- Summary Questions -- Chapter 8: SEPostgreSQL - Extending PostgreSQL with SELinux -- Technical requirements -- Introducing PostgreSQL and sepgsql -- Reconfiguring PostgreSQL with sepgsql -- Creating a test account -- Tuning sepgsql inside PostgreSQL -- Troubleshooting sepgsql -- Understanding SELinux's database-specific object classes and permissions -- Understanding sepgsql permissions -- Using the default supported types -- Creating trusted procedures -- Using sepgsql-specific functions -- Using MCS and MLS -- Limiting access to columns based on categories -- Constraining the user domain for sensitivity range manipulation -- Integrating SEPostgreSQL into the network -- Creating a fallback label for remote sessions -- Tuning the SELinux policy -- Summary -- Questions -- Chapter 9: Secure Virtualization -- Technical requirements -- Understanding SELinux-secured virtualization -- Introducing virtualization -- Reviewing the risks of virtualization -- Reusing existing virtualization domains -- Fine-tuning virtualization-supporting SELinux policy -- Understanding sVirt's use of MCS -- Enhancing libvirt with SELinux support -- Differentiating between shared and dedicated resources -- Assessing the libvirt architecture -- Configuring libvirt for sVirt -- Changing a guest's SELinux labels -- Customizing resource labels -- Controlling available categories -- Changing the storage pool locations -- Using Vagrant with libvirt -- Deploying Vagrant and the libvirt plugin -- Installing a libvirt-compatible box -- Configuring Vagrant boxes -- Summary -- Questions -- Chapter 10: Using Xen Security Modules with FLASK -- Technical requirements -- Understanding Xen and XSM -- Introducing the Xen hypervisor -- Installing Xen -- Creating an unprivileged guest -- Understanding Xen Security Modules -- Running XSM-enabled Xen -- Rebuilding Xen with XSM support -- Using XSM labels Manipulating XSM. Computers-System Administration-Linux & UNIX Administration.. Operating systems (Computers)-Linux |
| title | SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| title_auth | SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| title_exact_search | SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| title_exact_search_txtP | SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| title_full | SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| title_fullStr | SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| title_full_unstemmed | SELinux System Administration - Third Edition Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| title_short | SELinux System Administration - Third Edition |
| title_sort | selinux system administration third edition implement mandatory access control to secure applications users and information flows on linux |
| title_sub | Implement Mandatory Access Control to Secure Applications, Users, and Information Flows on Linux |
| topic | Computers-System Administration-Linux & UNIX Administration.. Operating systems (Computers)-Linux |
| topic_facet | Computers-System Administration-Linux & UNIX Administration.. Operating systems (Computers)-Linux |
| work_keys_str_mv | AT vermeulensven selinuxsystemadministrationthirdeditionimplementmandatoryaccesscontroltosecureapplicationsusersandinformationflowsonlinux |