You're reading from SELinux System Administration, Third Edition Implement mandatory access control to secure applications, users, and information flows on Linux

Product type Paperback

Published in Dec 2020

Publisher Packt

ISBN-13 9781800201477

Length 458 pages

Edition 3rd Edition

Tools

Docker

Concepts

System Administration

Author (1):

Sven Vermeulen

Preface

1. Section 1: Using SELinux

2. Chapter 1: Fundamental SELinux Concepts FREE CHAPTER

3. Chapter 2: Understanding SELinux Decisions and Logging

4. Chapter 3: Managing User Logins

5. Chapter 4: Using File Contexts and Process Domains

6. Chapter 5: Controlling Network Communications

7. Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration

8. Section 2: SELinux-Aware Platforms

9. Chapter 7: Configuring Application-Specific SELinux Controls

10. Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux

11. Chapter 9: Secure Virtualization

12. Chapter 10: Using Xen Security Modules with FLASK

13. Chapter 11: Enhancing the Security of Containerized Workloads

14. Section 3: Policy Management

15. Chapter 12: Tuning SELinux Policies

16. Chapter 13: Analyzing Policy Behavior

17. Chapter 14: Dealing with New Applications

18. Chapter 15: Using the Reference Policy

19. Chapter 16: Developing Policies with SELinux CIL

20. Assessments

21. Other Books You May Enjoy

Chapter 5

The command to apply a type to a TCP port is created with semanage. For instance, to apply the ssh_port_t type to TCP port 10122, execute the following command:
```
# semanage port -a -t ssh_port_t -p tcp 10122
```
However, this only works as long as the port itself is not already explicitly mapped to an SELinux type. You can query whether this is the case with sepolicy, for example:
```
# sepolicy network -p 10122
```
If the port is part of an unreserved range, then it can be altered.
No, SECMARK is local to the system. Once a network packet is received by the Linux host, the SECMARK rules will associate a label with that network packet, but this label is only retained in memory on the system itself. Once a packet leaves the Linux system, it will not show any trace of SECMARK labeling.
The subcommands used by semanage are ibendport (to apply a label or sensitivity to an InfiniBand network port) and ibpkey (to apply a label or sensitivity to a partition key).
While labeled IPsec...