SELinux in a Nutshell The Big challenge is to find ways to have secure systems knowing that flawed application software will always exist.SELinux is an implementation of the reference monitor concept, where the operating system isolates passive resources into distinct objects such as files and active entities such as running programs into subjects.


While NSA's original example policy has very strong interdependencies between types and roles and therefore a very tight coupling of policy source modules, the reference policy has well-defined interfaces and no global use of type and other identifiers, In addition it layers all of its modules in 5 main categories of 'admin', 'apps', 'kernel', 'services' and 'system'.

The refpolicy at the time of writing this tutorial could be downloaded from Release.

We make use of the gen_context() template interface macro to handle both MLS/MCS and non MLS/MCS policies from the policy source.

This file contains hard-coded listing of the directories for the asterisk daemon.

Once you download and install the software try running it without selinux support; you can do this by typing$ setenforce 0$ /etc/init.d/asterisk start This will switch selinux into permissive mode in which access checks still occur, but instead of denying unallowed access, it simply audits them.

Now that we are certain that our daemon runs perfectly we are ready to write selinux policy files for it.Malicious or broken software can have root-level access to the entire system, either by running as a root process or using setuid or setgid.In addition under DAC, there are really only two major categories of users, administrators and non-administrators.After download run$ make$ make install-src$ make install The refpolicy will be compiled and installed into /etc/selinux/refpolicy/src/policy Writing the Policy I am going to describe how to write SELinux rules for a Linux Daemon Service particularly the Asterisk Call Server.The steps involved are pretty generic and can be used for any software you are planning to jail with selinux.A MAC or non-discretionary access control framework allows you to define permissions for how all processes (subjects) interact with other parts of the system such as files, devices, sockets, ports, and other processes (objects).

Tags: , ,