Back to classroom courses >

RHS429 Red Hat Enterprise SELinux Policy Administration

Course Outline

Unit 1 - Introduction to SELinux

  • Discretionary Access Control vs. Mandatory Access Control
  • SELinux History and Architecture Overview
  • Elements of the SELinux security model:
    • user identity and role
    • domain and type
    • sensitivity and categories
    • security context
  • SELinux Policy and Red Hat's Targeted Policy
  • Configuring Policy with Booleans
  • Archiving
  • Setting and Displaying Extended Attributes
  • Hands-on Lab: Understanding SELinux

Unit 2 - Using SELinux

  • Controlling SELinux
  • File Contexts
  • Relabeling Files and Filesystems
  • Mount options
  • Hand-on Lab: Working with SELinux

Unit 3 - The Red Hat Targeted Policy

  • Identifying and Toggling Protected Services
  • Apache Security Contexts and Configuration Booleans
  • Name Service Contexts and Configuration Booleans
  • Other Services
  • File Context for Special Directory Trees
  • Troubleshooting and avc Denial Messages
  • setroubleshootd and Logging
  • Hands-on Lab: Understanding and Troubleshooting the Red Hat Targeted Policy

Unit 4 - Introduction to Policies

  • Policy Overview and Organization
  • Compiling and Loading the Monolithic Policy and Policy Modules
  • Policy Type Enforcement Module Syntax
  • Object Classes
  • Hands-on Lab: Understanding policies

Unit 5 - Policy Utilities

  • Tools available for manipulating and analyzing policies
    • apol
    • seaudit and seaudit_report
    • checkpolicy
    • sesearch
    • sestatus
    • audit2allow and audit2why
    • sealert
    • avcstat
    • seinfo
    • semanage
    • Man pages
  • Hands-on Lab: Exploring Utilities

Unit 6 - User and Role Security

  • Role-based Access Control
  • Multi Category Security
  • Defining a Security Administrator
  • Multi-Level Security
  • The strict Policy
  • User Identification and Declaration
  • Role Identification and Declaration
  • Domain Transitions
  • Roles in Use in Transitions
  • Role Dominance
  • Hands-on Lab: Implementing User and Role Based Policy Restrictions

Unit 7 - Anatomy of a Policy

  • Policy Macros
  • Type Attributes and Aliases
  • Type Transitions
  • When and How do Files Get Labeled
  • restorecond
  • Customizable Types
  • Hands-on Lab: Building Policies

Unit 8 - Manipulating Policies

  • Installing and Compiling Policies
  • The Policy Language
  • Access Vector
  • SELinux logs
  • Security Identifiers - SIDs
  • Filesystem Labeling Behavior
  • Context on Network Objects
  • Creating and Using New Booleans
  • Manipulating Policy by Example
  • Macros
  • Enableaudit
  • Hands-on Lab: Compiling Policies

Unit 9 - Project

  • Best practices
  • Create File Contexts, Types and Typealiases
  • Edit and Create Network Contexts
  • Edit and Create Domains
  • Hands-on Lab: Editing and Writing Policy