You're reading from SELinux System Administration, Third Edition Implement mandatory access control to secure applications, users, and information flows on Linux

Product type Paperback

Published in Dec 2020

Publisher Packt

ISBN-13 9781800201477

Length 458 pages

Edition 3rd Edition

Tools

Docker

Concepts

System Administration

Author (1):

Sven Vermeulen

Preface

1. Section 1: Using SELinux

2. Chapter 1: Fundamental SELinux Concepts FREE CHAPTER

3. Chapter 2: Understanding SELinux Decisions and Logging

4. Chapter 3: Managing User Logins

5. Chapter 4: Using File Contexts and Process Domains

6. Chapter 5: Controlling Network Communications

7. Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration

8. Section 2: SELinux-Aware Platforms

9. Chapter 7: Configuring Application-Specific SELinux Controls

10. Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux

11. Chapter 9: Secure Virtualization

12. Chapter 10: Using Xen Security Modules with FLASK

13. Chapter 11: Enhancing the Security of Containerized Workloads

14. Section 3: Policy Management

15. Chapter 12: Tuning SELinux Policies

16. Chapter 13: Analyzing Policy Behavior

17. Chapter 14: Dealing with New Applications

18. Chapter 15: Using the Reference Policy

19. Chapter 16: Developing Policies with SELinux CIL

20. Assessments

21. Other Books You May Enjoy

Chapter 12

When SELinux Booleans are changed through the /sys/fs/selinux/booleans filesystem, the changes are not automatically committed. For that to occur, you also need to write the value 1 into /sys/fs/selinux/commit_pending_bools.
The sesearch command is used to query the active policy, and can be used to query the impact of SELinux Booleans as well. Add the -b <boolean> argument to limit the query to rules that are influenced by the SELinux Boolean.
When an SELinux policy module is loaded, it is assigned a priority that tells the system whether it should be the active module. Administrators can load new modules at a higher priority to test them out, and remove them again, without risking that no proper SELinux rules are active on the system at all.
Likewise, administrators can load a policy at a lower priority, ensuring that it is not yet active, and later on remove the module at the higher priority so that the newly loaded policy becomes active.
This is unlike...