Red Hat Enterprise SELinux Policy Administration (RHS429) outline

Skills required for SELinux policy writing

Introduction to SELinux

  • Discretionary access control vs. mandatory access control
  • SELinux history and architecture overview
  • Elements of the SELinux security model: user identity and role; domain and type; sensitivity and categories; security context
  • SELinux policy and Red Hat's targeted policy
  • Configuring policy with Booleans
  • Archiving
  • Setting and displaying extended attributes

Using SELinux

  • Controlling SELinux
  • File contexts
  • Relabeling files and file systems
  • Mount options

The Red Hat targeted policy

  • Identifying and toggling protected services
  • Apache security contexts and configuration Booleans
  • Name service contexts and configuration Booleans
  • NIS client contexts
  • Other services
  • File context for special directory trees
  • Troubleshooting and avc denial messages
  • SE troubleshooting and logging

Introduction to policies

  • Policy overview and organization
  • Compiling and loading the monolithic policy and policy modules
  • Policy type enforcement module syntax
  • Object classes
  • Domain transition

Policy utilities

  • Tools available for manipulating and analyzing policies: apol, seaudit and seaudit_report, checkpolicy, sepcut, sesearch, sestatus, audit2allow and audit2why, sealert, avcstat, seinfo, semanage and semodule, man pages

User and role security

  • Role-based access control
  • Multicategory security
  • Defining a security administrator
  • Multilevel security
  • The strict policy
  • User identification and declaration
  • Role identification and declaration
  • Roles in use in transitions
  • Role dominance

Anatomy of a policy

  • Policy macros
  • Type attributes and aliases
  • Type transitions
  • When and how files get labeled
  • restorecond
  • Customizable types

Manipulating policies

  • Installing and compiling policies
  • The policy language
  • Access vector
  • SELinux logs
  • Security Identifiers - SIDs
  • File-system labeling behavior
  • Context on network objects
  • Creating and using new Booleans
  • Manipulating policy by example
  • Macros
  • Enableaudit


  • Best practices
  • Creating file contexts, types, and typealiases
  • Editing and creating network contexts
  • Editing and creating domains

Note: Course outline is subject to change with technology advances and as the nature of the underlying job evolves. For questions or confirmation on a specific objective or topic, please contact a training specialist via the web or at 1-866-626-2994.