RHEL SELinux Policy Administration

This advanced security course takes a deep dive into the complexities and nuances of SELinux. The course discusses security threats posed to today’s computing resources and mitigating them through network and host protections. Students will review SELinux technology through understanding SELinux’s goals, how it has evolved including its features and limitations.

Students will gain hands-on experience in working with SELinux modes, virtualization, and container security. The core of the course is learning and understanding SELinux policy through, choosing, managing, and studying policy examples. Once students have an understanding of the SELinux policy the course will cover writing policy modules. The course is capped with multiple discussions on case studies that explore building SELinux policies. This SELinux course covers one of the major challenge faced by administering SELinux, SELinux troubleshooting.

Supported Distributions:Red Hat Enterprise Linux 7

Course Outline

COMPUTING SECURITY & SELINUX OVERVIEW
1. Security Threats
2. Network and Host Protection
3. Shortcomings of Traditional Unix Security
4. DAC vs. MAC
5. SELinux Goals
6. SELinux Evolution
7. SELinux Features and Limitations
8. SELinux Contexts
9. Labels
10. Access Decisions
11. Transition Decisions: Processes
12. SELinux Example
LAB TASKS
1. System Preparation
2. Contexts
WORKING WITH SELINUX
1. SELinux Modes
2. Gathering SELinux Information
3. SELinux Virtual Filesystem
4. Core Commands and SELinux
5. SELinux Management Utilities
6. Context and File Operations
7. Managing File Context Database
8. Managing Contexts
9. Booleans
10. SELinux Mount Options
11. Virtualization Security
12. Container Security
13. Securing Networked Services
14. Managing Port Contexts
LAB TASKS
1. Exploring SELinux Modes
2. Gathering Information
3. Managing SELinux Booleans
4. Managing Contexts
5. Mounting Filesystems
6. Manual Relabel
7. GUI Utilities
POLICIES
1. The SELinux Policy
2. Choosing an SELinux Policy
3. Policy Layout
4. Examining Policy
5. Managing Policies
6. Targeted Policy
7. Targeted Policy Example: Apache
8. Targeted Policy Example: Other Contexts
9. Minimum Policy
10. MLS Policy Overview
11. MCS Translation
12. Polyinstantiated Directories
USERS & ROLES
1. Overview of Roles
2. Roles
3. User Mappings
4. Kiosk User (xguest)
5. Controlling Application Execution
LAB TASKS
1. SELinux Identities and Roles
2. Kiosk User
TROUBLESHOOTING SELINUX
1. Access Denied. Now what?
2. AVC Denied Examples
3. Incorrect File Context
4. Permissive Domains
5. Using audit2allow
LAB TASKS
1. Troubleshooting using Permissive Domains
2. Using audit2why and audit2allow to create policy
WRITING POLICY MODULES
1. SELinux Policy Tools
2. SELinux Policy Source
3. Reference Policy Source Exploration
4. Process Transitions
5. Object classes
6. Policy Macros
7. Creating Booleans
8. Using Booleans in Policies
9. Other Policy Commands
10. Writing Policy Modules
LAB TASKS
1. Domain Transition Exploration
2. Exploring SELinux Modes
3. Writing a Simple Module
4. Defining and using booleans
5. Creating & Compiling Policy from Source
6. Using seplogen
CASE STUDY: SECURING AN APPLICATION LAB TASKS
1. SELinux Policy Building: Case Study 1
CASE STUDY: SECURING AN APPLICATION LAB TASKS
1. SELinux Policy Building: Case Study 2
BONUS LABS: LAB TASKS
1. Installing and Switching Policies
2. Minimum policy
3. MCS Exploration
4. MCS Restrictions
5. Polyinstantiated Directories