Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
SELinux System Administration
SELinux System Administration

SELinux System Administration: With a command of SELinux you can enjoy watertight security on your Linux servers. This guide shows you how through examples taken from real-life situations, giving you a good grounding in all the available features.

eBook
$9.99 $21.99
Paperback
$36.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

SELinux System Administration

Chapter 1. Fundamental SELinux Concepts

SELinux (Security Enhanced Linux) brings additional security measures for your Linux system to further protect the resources on the system.

In this chapter, we will cover:

  • Reasons for SELinux using labels to identify resources

  • The way SELinux differentiates itself from regular Linux access controls through the enforcement of security rules

  • How to know these rules are provided through policy files

At the end, we will provide an overview of the differences between SELinux implementations across distributions.

Providing more security to Linux


Seasoned Linux administrators and security engineers already know that they need to have some trust in the users and processes on their system in order for the system to remain secure. Part of that is because users can attempt to exploit vulnerabilities found on the software running on the system, but a large part of it is because the secure state of the system depends on the behavior of the users. A Linux user with access to sensitive information can easily leak that out to the public, manipulate the behavior of the applications he launches, and can do many more things. The default access controls in place in a regular Linux system are discretionary, meaning it is up to the user's discretion how the access controls should behave.

The Linux DAC (Discretionary Access Control) mechanism is based on the user and/or group information of the process versus the user and/or group information of the file, directory, or other resource that is being manipulated. Consider the /etc/shadow file, which contains the password and account information of the local Linux accounts:

$ ls -l /etc/shadow
-rw------- 1 root root 1010 Apr 25 22:05 /etc/shadow

Without additional access control mechanisms in place, this file is readable and writable by any process that is owned by the root user, regardless of the purpose of the process on the system. The shadow file is a typical example of a sensitive file that we don't want to see leaked or abused in any other fashion. Yet, the moment someone has access to the file he can copy it elsewhere, for example, to their home directory or even mail it to his own computer and attempt to attack the password hashes stored within.

Another example of how Linux DAC requires trust from its users is when a database is hosted on the system. Database files themselves are (hopefully) only manageable by the runtime user of the database management system (DBMS) and the Linux root user. Properly secured systems will grant the additional users access to these files (for instance through sudo) by allowing these users to change their effective user ID from their personal user to the database runtime user, or even root. Those users too can analyze the database files and gain access to potentially very confidential information in the database without going through the DBMS.

But users are not the only reason of securing a system. Lots of software daemons run as the Linux root user or have significant privileges on the system. Errors within those daemons can easily lead to information leakage or might even be exploitable remote command execution vulnerabilities. Backup software, monitoring software, change management software, scheduling software, and so on, they all often run with the highest privileged account possible on a regular Linux system. Even when the administrator does not fully trust the users, their interaction with the daemons still induces a potential security risk. As such, the users still get some kind of trust in order for the system to function properly. And through that, he leaves the security of the system to the discretion of its (many) users.

Enter SELinux which provides an additional access control layer on top of the standard Linux DAC mechanism. SELinux provides a MAC (Mandatory Access Control) system that, unlike its DAC counterpart, gives the administrator full control over what is allowed on the system and what isn't. It accomplishes this by supporting a policy-driven approach on what processes are and aren't allowed to do and what not, and enforcing this policy through the Linux kernel.

The word "mandatory" here, just like the word "discretionary" before, is not chosen by accident to describe the abilities of the access control system. Both are known terms in the security research field and have been described in many other publications, including the TCSEC (Trusted Computer System Evaluation Criteria) (http://csrc.nist.gov/publications/history/dod85.pdf) standard (also known as the "Orange Book") by the Department of Defense, in the United States of America's in 1985. This publication has lead to the common criteria standard for computer security certification at (ISO/IEC 15408) http://www.commoncriteriaportal.org/cc/.

Mandatory means that access control is enforced by the operating system and defined solely by the administrator. Users and processes that do not have the permission to change the security rules cannot work around the access control; security is not left at their discretion anymore.

Linux security modules to the rescue

Consider the example of the shadow file again. A MAC system can be configured so that the file can only be read from and written to by particular processes. A user logged on as root cannot directly access the file or even move it around. He can't even change the attributes of the file:

# id
uid=0(root) gid=0(root)
# cat /etc/shadow
cat: /etc/shadow: Permission denied
# chmod a+r /etc/shadow
chmod: changing permissions of '/etc/shadow': Permission denied

This is enforced through rules that describe when the contents of a file can be read. With SELinux, these rules are defined in the SELinux policy and are loaded when the system boots. It is the Linux kernel itself that is responsible for enforcing the rules, and does so through LSM (Linux Security Modules).

High-level overview of how LSM is integrated in the Linux kernel

LSM has been available in the Linux kernel since version 2.6, somewhere in December 2003. It is a framework that provides "hooks" inside the Linux kernel on various locations, including the system call entry points, and allows a security implementation (for example, SELinux) to provide functions to be called when a hook is triggered. These functions can then do their magic (for instance, checking the policy and other information) and give a go / no go back to allow the call to go through or not. LSM by itself does not provide any security functionality, instead it relies on security implementations that do heavy lifting. SELinux is one of these implementations that uses LSM, but others such as TOMOYO Linux and AppArmor also use it.

SELinux versus regular DAC

SELinux does not change the Linux DAC implementation, nor can it override denials made by the Linux DAC permissions. If a regular system (without SELinux) prevents a particular access, there is nothing SELinux can do to override this decision. This is because the LSM hooks are triggered after the regular DAC permission checks have been done.

If you need to allow an additional user access to a file, you will need to look into other features of Linux such as the use of POSIX Access Control Lists through the setfacl and getfacl commands. These allow the user (not only the administrator!) to set additional access controls on files and directories, opening up the provided permission to additional users or groups.

Restricting root privileges

The regular Linux DAC allows for an all-powerful user: root. Unlike most other users on the system, a logged on root user has all the rights needed to fully manage the entire system, ranging from overriding access controls to controlling audit, changing user ID, managing the network, and many more. This is handled through a security concept called capabilities (for an overview of Linux capabilities, check out the capabilities manual page: man capabilities). SELinux is also able to restrict access to these capabilities in a fine-grained manner.

Due to this fine-grained authorization aspect of SELinux, even the root user can be quite confined without impacting the operations on the system. The example of accessing /etc/shadow previously is just one example of things that a powerful user as root still might not be able to do due to the SELinux access controls in place.

When SELinux was added to the mainstream Linux kernel, some security projects even went as far as providing public root shell access to a SELinux protected system, asking hackers and other security researchers to compromise the box. The ability to restrict root was welcomed by system administrators that sometimes need to pass on the root password or root shell to other users (for example, database administrators) that needed root privileges when their software went haywire. Thanks to SELinux, the administrator can now pass on a root shell while reassuring himself that the user only has those rights he needs, and not full system administration rights.

Enabling SELinux – not just a switch

To enable SELinux on a Linux system, it is not just a matter of enabling the SELinux LSM module within the Linux kernel. SELinux comprises not only of the kernel implementation, but also has libraries and utilities that are needed on the system. These libraries and utilities are called the SELinux userspace (http://userspace.selinuxproject.org/trac). Next to the userspace applications and libraries, various components on a Linux system need to be updated with SELinux-specific code, including the init system, core utilities, and the C library. And finally, we need a policy that tells SELinux how it should enforce access.

Because SELinux isn't just a switch that needs to be toggled, Linux distributions that support SELinux usually come with SELinux predefined and loaded: Fedora and RedHat Enterprise Linux (with its derivatives, for example, CentOS and Oracle Linux) are the most well-known examples. Other supporting distributions might not automatically have SELinux enabled but can easily support it through the installation of additional packages (which is the case for Debian and Ubuntu), and others have a well-documented approach on how to convert a system towards SELinux (for example, Gentoo and Arch Linux).

Throughout the book, examples will be shown from Gentoo and Fedora 19 (which is similar to RedHat Enterprise Linux). We opt to use these two because they have different implementation details, allowing us to show the full potential of SELinux.

Everything gets a label


In natural language, the term "context" can be used in a sentence for example, "it depends on the context". Well, with SELinux, it does depend on the context! The context of a process is what identifies the process to SELinux. SELinux has no notion of Linux process ownership and frankly doesn't care how the process is called, which process ID it has and under which account the process runs. All it wants to know is what the context is of that process. Let's look at an example context: the context of the current user (try it out yourself if you are on a SELinux enabled system):

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The id command, which returns information about the current user, with the -Z switch (a commonly agreed switch for displaying SELinux information) shows us the context of the current user (actually the context of the id process itself when it was executing). As we can see, the context is a string representation, and looks like it has five fields (it doesn't, it has four fields. The last field just happens to contain a ':').

SELinux developers decided to use contexts (strings) instead of real process metadata as well as contexts on resources (often called labels) for its access controls. This is different to MAC systems such as AppArmor which use the path of the binary (and thus the process name) and the paths of the resources to handle permission checks. The decision to make SELinux a label-based mandatory access control was taken for various reasons, which are as follows:

  • Using paths might be easier for administrators, but this doesn't allow to keep the context information close to the resource. If a file or directory is moved, remounted, or a process has a different namespace view on the files, the access controls might behave differently. With contexts, this information is retained and the system keeps controlling the resource properly.

  • Contexts reveal the context of the process very well. The same binary application can be launched in different contexts depending on how it got started. The context value (for example, the one shown in the id -Z output earlier on) is exactly what the administrator needs. With it, he knows what the rights are of each of the running instances, but he can also deduce from it how the process might have been launched.

  • Contexts also make abstraction of the object itself. We are talking now about processes and files, but this is also applicable to less tangible resources, for example: pipes (inter-process communication) or database objects. Path-based identification only works as long as you can write a path.

As an example, consider the following two sentences:

  • Allow the httpd processes to bind to the TCP port 80

  • Allow the processes labeled with "httpd_t" to bind to TCP ports labeled with "http_port_t"

In the first example, we cannot easily reuse this policy when the web server process isn't using the httpd binary (perhaps because it was renamed, or it isn't Apache but another web server), or when we want to have HTTP access on a different port. With the labeled approach, the binary can be called "apache2" or "MyWebServer.py"; as long as the process is labeled httpd_t then the policy applies. The same with the port definition, you can label port 8080 with http_port_t and thus allow the web servers to bind to that port as well.

The context fields

To come to a context, SELinux uses at least three, and sometimes four values. Let us look at the context of the Apache web server as an example:

$ ps -eZ | grep httpd
system_u:system_r:httpd_t:s0  511  ?   00:00:00 httpd

As we can see, the process is assigned a context which is made up of the following fields:

  • system_u - represents the SELinux user

  • system_r - represents the SELinux role

  • httpd_t - represents the SELinux type (also known as domain in case of a process)

  • s0 - represents the sensitivity

The roles can be depicted as follows:

Structure of a SELinux context, using the id -Z output as an example

When we work with SELinux, contexts are all that we need. In the majority of cases, it is the third field (called the domain or type) that is most important as the majority of SELinux policy rules (over 99 percent) consists of rules related to the interaction between two types (without mentioning roles, users, or sensitivities).

SELinux types

As mentioned, SELinux is a label-based access control mechanism. In most SELinux literature, this is fine-tuned to say that SELinux is a type enforcement mandatory access control system. This is because the type of a process (called the domain) defines the fine-grained access controls of that process with respect to itself or other types (which can be processes, files, sockets, network interfaces, and more). When some access attempts are denied, the fine-grained access controls on the type level are most likely to blame.

With type enforcement, SELinux is able to control what an application is allowed to do based on how it got executed in the first place: a web server that is launched interactively by a user will run with a different type than a web server executed through the init system, even though the process binary and path are the same. The web server launched from the init system is most likely trusted (and thus allowed to do whatever web servers are supposed to do), whereas a user launched web server is less likely to be of "normal behavior" and as such will have different privileges.

For instance, look at the following dbus-daemon processes:

# ps -eZ | grep dbus-daemon
system_u:system_r:system_dbusd_t 4531 ?        00:00:00 dbus-daemon
staff_u:staff_r:staff_dbusd_t    5266 ?        00:00:00 dbus-daemon

In the preceding example, one dbus-daemon process is the system D-Bus daemon running with the aptly named system_dbusd_t type, whereas another one is running with the staff_dbusd_t type assigned to it. Even though their binaries are completely the same, they both serve a different purpose on the system and as such have a different type assigned. SELinux then uses this type to govern the actions allowed by the process towards other types, including how system_dbusd_t can interact with staff_dbusd_t.

SELinux types are by convention suffixed with "_t", although this is not mandatory.

SELinux roles

SELinux roles - the second part of a SELinux context, enable SELinux to support role-based access controls. Although type enforcement is the most used (and known) part of SELinux, role-based access control is vital in order to keep a system secure, especially from malicious user attempts. SELinux roles are used to define which types a user processes can be in. As such, SELinux roles help define what a user can and cannot do.

On most SELinux enabled systems, the following roles are made available to be assigned to users. By convention, SELinux roles are defined with an "_r" suffix. Some of the roles and their descriptions are as follows:

user_r

This role is meant for restricted users, the user_r SELinux role is only allowed to have processes with types specific to end-user applications. Privileged types, for instance, those used to switch Linux user are not allowed for this role.

staff_r

This role is meant for non-critical operator tasks, the SELinux staff_r role is generally restricted to the same applications as the restricted user, but is also allowed to (a very few) more privileged types. It is the default role for operators to be in (so as to keep those users in the "least privileged" role as long as possible).

sysadm_r

This role is meant for system administration tasks, the sysadm_r SELinux role is very privileged, allowing for various system administration tasks. However, certain end user application types might not be supported (especially if those types are used for potentially vulnerable or untrusted software) to try and keep the system free from infections.

system_r

This role is meant for daemons and background processes, the system_r SELinux role is quite privileged, supporting the various daemon and system process types. However, end user application types and other administrative types are not allowed in this role.

unconfined_r

This role is meant for end users, the unconfined_r role is allowed a limited number of types, but those types are very privileged as it is meant for running any application launched by a user in a more or less unconfined manner (not restricted by SELinux rules). This role as such is only available if the system administrator wants to protect certain processes (mostly daemons) while keeping the rest of the system operations almost untouched by SELinux.

Other roles might be supported as well, such as guest_r and xguest_r (Fedora). It is wise to consult the distribution documentation for more information about the supported roles.

SELinux users

A SELinux user is different from a Linux user. Unlike the Linux user information which can change while the user is working on the system (through tools such as sudo or su), the SELinux policy will enforce that the SELinux user remains the same even when the Linux user itself has changed. Because of the immutable state of the SELinux user, specific access controls can be implemented to ensure that users cannot work around the (limited) set of permissions granted to them, even when they get privileged access. An example of such an access control is the UBAC (User Based Access Control) feature that some Linux distributions (optionally) enable, not allowing access to files of different SELinux users.

But the most important feature of SELinux users is that SELinux user definitions restrict which roles the (Linux) user is allowed to be in. Once a user is assigned a SELinux user, he cannot switch to a role that he isn't meant to be in. This is the role-based access control implementation of SELinux.

SELinux users are, by convention, defined with a "_u" suffix, although this is not mandatory. The SELinux users that most distributions have available are named after the role they represent, but instead of ending with "_r" they end with "_u". For instance, for the sysadm_r role, there is a sysadm_u SELinux user.

Sensitivity labels

Although not always present (some Linux distributions by default do not enable sensitivity labels), the sensitivity labels are needed for the MLS (Multi-Level Security) support within SELinux. Sensitivity labels allow classification of resources and restriction of access to those resources based on a security clearance. These labels consists of two parts: a confidentiality value (prefixed with "s") and a category value (prefixed with "c").

In many organizations and companies, documents are labeled internal, confidential, or strictly confidential. SELinux can assign processes a certain clearance level towards these resources. With MLS, SELinux can be configured to follow the Bell-LaPadula model, a security model that can be characterized by "no read up, no write down": based on a process' clearance level, that process cannot read anything with a higher confidentiality level nor write to (or communicate otherwise with) any resource with a lower confidentiality level. SELinux by itself, does not use the "internal", "confidential", and other labels. Instead, it uses numbers from 0 (lowest confidentiality) to whatever the system administrator wants to be as the highest value (this is configurable and set when the SELinux policy is built).

Categories allow for resources to be tagged with one or more categories on which access controls are also possible. The idea behind categories is to support multi-tenancy (for example, as systems hosting applications for multiple customers) within a Linux system, by having processes and resources belonging to one tenant to be assigned a particular category whereas the processes and resources of another tenant getting a different category. When a process does not have proper categories assigned, it cannot do anything with resources (or other processes) that have other categories assigned.

In that sense, categories can be seen as tags, allowing access to be granted only when the tags of the process and the target resource match.

Left arrow icon Right arrow icon

Key benefits

  • Use SELinux to further control network communications
  • Enhance your system's security through SELinux access controls
  • Set up SELinux roles, users and their sensitivity levels

Description

NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure. SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book. This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across. By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.

Who is this book for?

Linux administrators will enjoy the various SELinux features that this book covers and the approach used to guide the admin into understanding how SELinux works. The book assumes that you have basic knowledge in Linux administration, especially Linux permission and user management.

What you will learn

  • Enable and disable features selectively or even enforce them to a granular level
  • Interpret SELinux logging to make security-conscious decisions
  • Assign new contexts and sensitivity labels to files and other resources
  • Work with mod_selinux to secure web applications
  • Use tools like sudo, runcon, and newrole to switch roles and run privileged commands in a safe environment
  • Use iptables to assign labels to network packets
  • Configure IPSec and NetLabel to transport SELinux contexts over the wire
  • Build your own SELinux policies using reference policy interfaces

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 24, 2013
Length: 120 pages
Edition : 1st
Language : English
ISBN-13 : 9781783283187
Vendor :
Red Hat
Tools :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Sep 24, 2013
Length: 120 pages
Edition : 1st
Language : English
ISBN-13 : 9781783283187
Vendor :
Red Hat
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 140.97
SELinux Cookbook
$48.99
Web Penetration Testing with Kali Linux
$54.99
SELinux System Administration
$36.99
Total $ 140.97 Stars icon
Banner background image

Table of Contents

6 Chapters
Fundamental SELinux Concepts Chevron down icon Chevron up icon
Understanding SELinux Decisions and Logging Chevron down icon Chevron up icon
Managing User Logins Chevron down icon Chevron up icon
Process Domains and File-level Access Controls Chevron down icon Chevron up icon
Controlling Network Communications Chevron down icon Chevron up icon
Working with SELinux Policies Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.2
(9 Ratings)
5 star 44.4%
4 star 33.3%
3 star 22.2%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Robert S. Apr 11, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Helped me solve issues immediately. Did not have much knowledge of SELinux, and with this book I was able to get my server working properly and efficiently quickly.
Amazon Verified review Amazon
Kindle Customer Dec 30, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a very nice introduction, for me, to SELinux. I have always ended up running my Linux system (basically a desktop) in "permissive" mode. The main reason is that I just wanted to get my work done and I kept getting "dings" from SELinux in Enforcing mode which where stopping me. This book took me only about 4 hours to read from cover to cover (OK, I didn't read the index). But it introduced me to enough of the concepts and commands in SELinux for me to be comfortable to try changing to "Enforcing" mode.
Amazon Verified review Amazon
Leupold, Sven Nov 27, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Excellent book if you're looking for an overview. Although the matter is not simple and easy to begin with, Sven Vermeulen's book guides you step by step into SELinux Administration. The command line examples in the text, help you to understand the basics and dive into even deeper.I would absolutly recommend this book to everybody who is willing to learn about SELinux and features. 5 stars!
Amazon Verified review Amazon
Adam J Miller Dec 01, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Wonderful resource for any Linux Systems Administrator digging into SELinux. This book covers multiple distributions and is written in an approachable way that isn't too dry or overly daunting. Definitely recommended for Admins/Ops looking to gain SELinux knowledge.
Amazon Verified review Amazon
Alberto Reis Aug 01, 2016
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Sven oferece uma abordagem bastante flexível para você implantar SELinux sem restringir a uma distribução especificamente. Este é o ponto forte deste livro, mostrar diversas ferramentas que você pode usar para uma mesma tarefa considerando um ambiente Linux heterogêneo. A experiência do autor lhe permite mostrar o que é mais apropriado usar, pois SELinux está por aí há algum tempo e distribuições implementam ferramentas convenientes para sua comunidade.Os exemplos utilizados ilustram o conceito e mecanismos apresentados, A leitura é interessante executando conforme o leitor avança entre os capítulos. Embora já tivesse lido o manual do administrador SELinux da distribuição que escolhi, achei que o texto trás uma introdução suficiente para iniciar por este livro.Cobre superficialmente o desenvolvimento de módulos do SELinux, apresenta uma comparação entre duas maneiras de especificar as políticas de segurança, modo "nativo" menos usual e através de referências para outros módulos com o uso de macros de uma API que ele não descreve neste livro.Recomendo este livro para administradores de sistemas, mas se você tem uma tarefa que exigirá o desenvolvimento de módulos do SELinux, então será necessário uma literatura adicional, caso tenha domínio sobre os conceitos apresentados no manual do administrador do SELinux da sua distribuição Linux, esta óbra é informativa e opcional.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.