You're reading from SELinux System Administration, Third Edition Implement mandatory access control to secure applications, users, and information flows on Linux

Product type Paperback

Published in Dec 2020

Publisher Packt

ISBN-13 9781800201477

Length 458 pages

Edition 3rd Edition

Tools

Docker

Concepts

System Administration

Author (1):

Sven Vermeulen

View More author details

Table of Contents (22) Chapters

Preface

1. Section 1: Using SELinux

2. Chapter 1: Fundamental SELinux Concepts FREE CHAPTER

3. Chapter 2: Understanding SELinux Decisions and Logging

4. Chapter 3: Managing User Logins

5. Chapter 4: Using File Contexts and Process Domains

6. Chapter 5: Controlling Network Communications

7. Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration

8. Section 2: SELinux-Aware Platforms

9. Chapter 7: Configuring Application-Specific SELinux Controls

10. Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux

11. Chapter 9: Secure Virtualization

12. Chapter 10: Using Xen Security Modules with FLASK

13. Chapter 11: Enhancing the Security of Containerized Workloads

14. Section 3: Policy Management

15. Chapter 12: Tuning SELinux Policies

16. Chapter 13: Analyzing Policy Behavior

17. Chapter 14: Dealing with New Applications

18. Chapter 15: Using the Reference Policy

19. Chapter 16: Developing Policies with SELinux CIL

20. Assessments

21. Other Books You May Enjoy

Leave a review - let other readers know what you think

Creating application-level policies

Application-level policies provide confinement for applications or services. There are a number of different types of application-level policies around:

End user application policies, which focus on accessing end user data, and will often call various userdom_* interfaces (which are provided through the system/userdomain.if file). Most of these applications are inside the apps/ directory).
Administration applications, which are still user-facing, are more likely to enable interacting with system services and resources.
Services, which are generally daemonized applications, often interact mostly with their own resources and have a simpler structure.

When we covered the sepolicy generate command in Chapter 14, Dealing with New Applications, we could select these types (and more) to generate a simple skeleton for those applications.

Let's look into some example policies and identify useful calls that you might need when...