SELinux System Administration Third Edition
by Sven Vermeulen
Packt Publishing 2020
| Page | Notes |
|---|---|
| Gentoo | |
| Gentoo Handbook | |
| Reference Policy (SELinux) | |
| Ghent University | |
| IC Institute | |
| MSc | |
| COVID-19 | |
| COVID-19 lockdown | |
| Linux Users Group (LUG) | |
| FireEye | |
| security research | |
| RedHat Linux (RHEL) | |
| Kernel Self-Protection Project (KSPP) | |
| DevOps | |
| network engineer | |
| mission-critical | |
| flight simulator | |
| embedded system | |
| datacenter | |
| CentOS | |
| Fedora Linux | |
| Mandatory Access Control (MAC) | |
| xiii | Book’s GitHub repo: https://github.com/PacktPublishing/SELinux-System-Administration-Third-Edition |
| 1 | Linux Kernel |
| 19 | SELinux labels |
| traditional Linux access controls | |
| SELinux policy filters | |
| SELinux policies | |
| 20 | exploits, vulnerabilities |
| leak | |
| discretionary access control (DAC) | |
| password | |
| /etc/shadow | |
| root user | |
| home directory | |
| password hash | |
| 21 | DBMS - database management system |
| sudo | |
| mandatory access control (MAC) | |
| PostgreSQL | |
| 22 | Trusted Computer System Evaluation Criteria (TSEC) |
| Orange Book | |
| Department of Defense | |
| Common Criteria standard | |
| ISO/IEC 15408 | |
| Linux Security Module (LSM) | |
| id command | |
| cat command | |
| chmod command | |
| system call | |
| 23 | LSM introduced in Linux 2.6 |
| hooks | |
| framework | |
| exclusive and non-exclusive LSM modules | |
| module stacking (LSM) | |
| containers | |
| 24 | AppArmor |
| AppArmor profile | |
| Smack | |
| TOMOYO Linux | |
| AKARI | |
| LoadPin | |
| Yama | |
| ptrace | |
| SafeSetId | |
| setuid | |
| Lockdown | |
| Lockdown - integrity mode | |
| Lockdown - confidentiality mode | |
| direct memory access (DMA) | |
| PCI memory access | |
| capability LSM | |
| 25 | LSM module querying |
| /sys/kernel.security/lsm | |
| POSIX ACLs | |
| setfacl command | |
| getfacl command | |
| 26 | restricting root privileges |
| least-privilege model | |
| 27 | RCE - Remote Command Execution |
| CGI | |
| SQL injection | |
| enabling SELinux | |
| SELinux GitHub https://github.com/SELinuxProject | |
| Oracle Linux | |
| Debian | |
| Ubuntu | |
| Arch Linux | |
| Gentoo | |
| 28 | emerge command |
| yum command | |
| e-file command | |
| yum whatprovides | |
| subject, object, context, label | |
| 29 | id -Z |
| metadata | |
| SELinux labels vs AppArmor paths | |
| 30 | ps -Z |
| SELinux domain/type | |
| /proc pseudo filesystem | |
| proc/PID/attr directory | |
| 31 | /proc/PID/attr/current file |
| /proc/PID/attr/exec file | |
| /proc/PID/attr/fscreate file | |
| /proc/PID/attr/keycreate file | |
| /proc/PID/attr/prev file | |
| /proc/PID/attr/sockcreate file | |
| subtask | |
| proc/PID/task/TASKID/attr directory | |
| type enforcement | |
| init system | |
| 33 | SELinux roles: user_r, staff_r, sysadmin_r, secadm_r, system_r, unconfined_r |
| 34 | seinfo –role |
| seinfo command | |
| su command | |
| user-based access control (UBAC) | |
| 35 | SELinux users _u suffix convention |
| _r suffix – roles | |
| 36 | multilevel security (MLS) |
| sensitivity | |
| Bell-LaPadula model; no read up, no write down. | |
| clearance level | |
| confidentiality | |
| multitenancy | |
| SVirt | |
| Docker | |
| multi-category security (MCS) | |
| 37 | SELinux policies are compiled |
| policy rule (policy code) | |
| policy module | |
| policy package | |
| policy store | |
| 38 | SELinux source formate |
| reference policy style | |
| M4 macro | |
| SELinux common intermediate language (CIL) | |
| SELinux reference policy https://github.com/SELinuxProject/refpolicy | |
| peer review | |
| de facto | |
| SELinux source format | |
| 39 | TCP socket (tcp_socket) |
| name_bind | |
| .te file - type enforcement | |
| .if file - interface/template definitions | |
| .fc file - file context expressions | |
| monolithic design | |
| 40 | .pp file - policy module |
| HLL - high-level language | |
| binary blob | |
| backward-compatible | |
| /usr/share/selinux/*.pp files | |
| policy store | |
| semodule command | |
| /var/lib/selinux/mcs/active/modules | |
| /etc/selinux/targeted/policy/policy.XX | |
| selinux-policy-targeted package (CentOS) | |
| 41 | sestatus command |
| /etc/selinux/config | |
| SELINUXTYPE | |
| SysV init, systemd init | |
| load_policy | |
| policies: strict, targeted, mcs | |
| 42 | MLS support: sestatus | grep MLS |
| cat /sys/fs/selinux/mls | |
| block_suspend permission | |
| deny_unknown permission | |
| sestatus | grep deny_unknown | |
| /etc/selinux/semanage.conf | |
| handle-unknown variable | |
| 43 | unconfined domain |
| unconfinement | |
| unconfined_t | |
| seinfo -t unconfined_t | |
| 44 | cross-user sharing |
| policy versioning - sestatus | grep version | |
| /etc/selinux/targeted/policy | |
| /etc/selinux/mcs/policy | |
| seinfo | grep Version | |
| 45 | list of policy feature enhancements by version number * |
| Xen | |
| flexible inheritance | |
| IPv6 | |
| netlink socket | |
| type bounds | |
| 46 | glblub - greatest lower bound, largest upper bound |
| Infiniband access controls | |
| libsepol | |
| policy-version - /etc/selinux/semanage.conf | |
| SELinux logs | |
| upstream | |
| SELinux policies differ between distributions, releases, … | |
| 47 | Chapter 1 questions * |