RHS427 - Introduction to SELinux and Red Hat Targeted Policy

Course Summary

Among the most significant features of Red Hat Enterprise Linux is SELinux (Security Enhanced Linux), a powerful, kernel-level security layer that provides fine-grained control over what users and processes may access and do on a system. By default, SELinux is enabled on Red Hat Enterprise Linux systems, enforcing a set of mandatory access controls that Red Hat calls the targeted policy. These access controls substantially enhance the security of the network services they target, but can sometimes affect the behavior of third-party applications and scripts that worked on previous versions of Red Hat Enterprise Linux.

This course provides a rapid, one-day introduction to SELinux, how it operates within the Red Hat targeted policy, and the tools available for working with this powerful capability.

RHS427 Introduction to SELinux and Red Hat Targeted Policy Description

Audience:

System administrators deploying or planning to deploy Red Hat Enterprise Linux, version 4, and so needing a foundation in SELinux concepts and implementation.

This course is particularly useful for system administrators managing Enterprise Linux systems running versions 2.1 or 3 and migrating to version 4.

Prerequisites:

To assist you in determining if you have sufficient system administration knowledge to take RHS427, try taking the following pre-assessment questionnaires:

In order to ensure that the prerequisites for RHS427 are met, you should expect to receive a high score for the RH033 and RH133 classes (36 points or more) and a moderate score for the RH253 class (24 points or more). If one or more of these scores falls below the recommended level, consider taking the related class before taking RHS427.

Duration:

1 day

What you will learn:

  1. Introduction to SELinux
    • Introduction
      • Discretionary vs. Mandatory Access Controls
      • The SELinux Solution
    • SELinux History
    • Architecture
      • Domains/Types
      • Roles/User Identities
      • Security Contexts
    • Security Policy
      • What is an SELinux Policy?
      • The Red Hat Targeted Policy
      • Configuring the Targeted Policy
    • Working with Files and Processes
      • Identifying a File´s Security Context
      • Identifying a Process´s Security Context
      • Identifying a User´s Security Context
      • SELinux and File Archiving
    • Lab 1: Understanding SELinux
  2. Using SELinux
    • Controlling SELinux
      • Enabling SELinux
      • Enforcing vs. Permissive Modes
      • Setting a Policy
      • system-config-securitylevel and Other Tools
      • The /selinux Filesystem
    • File Security Contexts
      • Identifying a File´s Security Context
      • Default Contexts
      • Determining the Proper Context for a File
      • Security Context at File Creation Time
      • Changing a File´s Security Context
      • Changing Security Contexts for a Directory Tree
    • Special Topics in File Security Contexts
      • Removeable Media
        • Default Contexts
        • Setting Contexts at Mount Time
        • Setting Contexts in /etc/fstab
      • Setting Contexts for Remote Filesystems Mounted Locally
    • Process Security Contexts
    • User Security Contexts
    • Lab 2: Working with SELinux
  3. The Red Hat Targeted Policy
    • Protected Services
      • Identifying Protected Services
      • Disabling SELinux on a Per-Service Basis
    • Apache
      • Security Contexts for Web Content
    • Name Service
    • NIS Server and Client
    • Other Services
      • dhcpd, portmap, squid, syslogd
      • nscd, ntpd, snmpd
    • File Contexts for Special Directory Trees
      • /etc, /home, and other Important Directory Trees
      • Adding a New Filesystem
      • Special Executables
    • Troubleshooting
      • Identifying an SELinux Denial
      • The "avc: denied" Message
      • Strategies
    • Lab 3: Understanding and Troubleshooting the Red Hat Targeted Policy
  4. Appendix: A Review of Extended Regular Expressions