You're reading from SELinux System Administration, Third Edition Implement mandatory access control to secure applications, users, and information flows on Linux

Product type Paperback

Published in Dec 2020

Publisher Packt

ISBN-13 9781800201477

Length 458 pages

Edition 3rd Edition

Tools

Docker

Concepts

System Administration

Author (1):

Sven Vermeulen

View More author details

Table of Contents (22) Chapters

Preface

1. Section 1: Using SELinux

2. Chapter 1: Fundamental SELinux Concepts FREE CHAPTER

3. Chapter 2: Understanding SELinux Decisions and Logging

4. Chapter 3: Managing User Logins

5. Chapter 4: Using File Contexts and Process Domains

6. Chapter 5: Controlling Network Communications

7. Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration

8. Section 2: SELinux-Aware Platforms

9. Chapter 7: Configuring Application-Specific SELinux Controls

10. Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux

11. Chapter 9: Secure Virtualization

12. Chapter 10: Using Xen Security Modules with FLASK

13. Chapter 11: Enhancing the Security of Containerized Workloads

14. Section 3: Policy Management

15. Chapter 12: Tuning SELinux Policies

16. Chapter 13: Analyzing Policy Behavior

17. Chapter 14: Dealing with New Applications

18. Chapter 15: Using the Reference Policy

19. Chapter 16: Developing Policies with SELinux CIL

20. Assessments

21. Other Books You May Enjoy

Leave a review - let other readers know what you think

Summary

CIL for SELinux is a powerful, lower-level syntax and language that is used to express all possible SELinux policy code. The SELinux userspace utilities will automatically convert existing policies into CIL code, but through this conversion, a lot of CIL constructs are not used: the conversion only uses a smaller set of CIL capabilities to establish a valid translation.

The more advanced CIL capabilities, such as namespace support, macros, and the permission sets through the classpermissionset statement, are useful when developing our own, CIL-based SELinux policies. In this chapter, we've learned how to use CIL to build complete application policies. Because there is no reference policy-like framework to simplify development, we had to write all of the necessary code constructs ourselves.

While this means that developing CIL-based policies is more resource intensive, we did also see that CIL has a few benefits that reference policy-style development cannot deal...