You're reading from SELinux System Administration, Third Edition Implement mandatory access control to secure applications, users, and information flows on Linux

Product type Paperback

Published in Dec 2020

Publisher Packt

ISBN-13 9781800201477

Length 458 pages

Edition 3rd Edition

Tools

Docker

Concepts

System Administration

Author (1):

Sven Vermeulen

View More author details

Table of Contents (22) Chapters

Preface

1. Section 1: Using SELinux

2. Chapter 1: Fundamental SELinux Concepts FREE CHAPTER

3. Chapter 2: Understanding SELinux Decisions and Logging

4. Chapter 3: Managing User Logins

5. Chapter 4: Using File Contexts and Process Domains

6. Chapter 5: Controlling Network Communications

7. Chapter 6: Configuring SELinux through Infrastructure-as-Code Orchestration

8. Section 2: SELinux-Aware Platforms

9. Chapter 7: Configuring Application-Specific SELinux Controls

10. Chapter 8: SEPostgreSQL – Extending PostgreSQL with SELinux

11. Chapter 9: Secure Virtualization

12. Chapter 10: Using Xen Security Modules with FLASK

13. Chapter 11: Enhancing the Security of Containerized Workloads

14. Section 3: Policy Management

15. Chapter 12: Tuning SELinux Policies

16. Chapter 13: Analyzing Policy Behavior

17. Chapter 14: Dealing with New Applications

18. Chapter 15: Using the Reference Policy

19. Chapter 16: Developing Policies with SELinux CIL

20. Assessments

21. Other Books You May Enjoy

Leave a review - let other readers know what you think

Adding user-level policies

If we want to create custom user and role policies, then the most confusing choice is the choice of user template to pick. This template creates a role and user domain with a specific purpose in mind, and grants a number of permissions by default:

Figure 15.1 – Relationship between user domain templates

The most common templates to pick for user/role policies are the following:

userdom_restricted_user_template() for (by default) unprivileged end user roles.
userdom_admin_user_template() for (by default) highly privileged end user roles.

The other templates can be used as well, especially if more fine-grained controls over the roles and user domains are needed. Note, however, that the privileges assigned by the templates are mentioned as by default. If we want to create a role and user domain for administrating a specific service, then we do not want to use userdom_admin_user_template(), as this will grant...