SELinux Administration


Session 1. Introduction to SELinux

  • SELinux Introduction
    • What is SELinux and how it works?
  • Access Control Mechanisms
  • Labels, Contexts and Type Enforcement
  • Basic Terminology
    • Users, Roles, Subjects, Objects, Domains and Types
  • SELinux Policy and Policy Organization
    • Confined and Unconfined Domain, Type Enforcement and Policy Behavior
  • SELinux Administration – Settings and Modes
  • SELinux Configuration, SELinux Status
  • SELinux Features and Benefits
  • SELinux is not

Session 2. Getting Started with SELinux

  • Boot Options for SELinux
  • Enabling user home directories
  • SELinux Settings for User Home Directories
  • Targeted Policy Protected Services
  • Default list of SELinux Protected Services
  • File Context for Special Directory Trees
  • Setting Persistent SELinux Contexts on Directory Trees.
  • Example: ftp server with non default directory

Session 3. SELinux Booleans

  • SELinux Booleans
  • Why a Service doesn't work?
  • Boolean Values
  • Service Categories of SELinux Booleans
  • Booleans with SELinux Management Tool
  • CLI V/s GUI Filter
  • Boolean Settings do not stand alone
  • SELinux directives for HTTP Services, Name Service, MariaDB, NFS, Samba and SSH

Session 4. Troubleshooting

  • Identify the Problem - SELinux Audits
  • Using




  • Using


  • SELinux Troubleshoot Browser
  • The setroubleshootd
    • Installation, configuration and working
  • Sending e-mails
  • Testing setroubleshoot functionality
  • Binding sshd on a non standard port
  • SELinux Logging - Interacting with systemd-journal
  • Policy Rules V/s other Options

Lab 1. Exploring CGI scripts

Session 5. SELinux Policies

  • SELinux Policy
  • Policy Organization
  • Confined and Unconfined Domain
  • SELinux Policy Behavior
  • Configuring a Policy with semanage
  • Example
    • SELinux Port Labeling
    • Managing Ports with Semanage
    • Using Semanage Permissive
    • Limiting flows based on the network interface
  • Generating Policy files for Deployment
  • Handling device files
  • Setting a SELinux label on a device node

Lab 2. Understanding policies

Session 6. Working with SELinux Policies

  • SELinux Policy Language
  • Source Policy Modules in a Monolithic Policy
  • Loadable Policy Modules
  • Building and Installing Monolithic Policies
  • Build and load process for SELinux policy
  • The make Targets
  • Generating Policy files for Deployment
  • Supported user templates with sepolgen
  • Handling device files
  • Using udev Rules
  • Setting a SELinux label on a device node

Lab 3. Modifying an existing policy

Session 7. Building and Loading SELinux Policies

  • Downloading and Installing the source and preparing the build area
  • Build the base policy package
  • Compiling the Monolithic Policy
  • Loading the Monolithic Policy
  • Compiling Policy Modules
  • Loading Policy Modules
  • Policy Type-Enforcement Module Syntax
  • Policy Type-Enforcement Module Example

Lab 4 Compiling and Building Base Policy from Source

Lab 5 - Using fixfiles Script and Setting mount contexts

Session 8. Working with semodule and Object Classes

  • High Level SELinux Architecture
  • semodule
  • Object Classes and Permissions
  • Defining common Permissions
  • Examples

Session 9. Policy Utilities

  • seaudit, seaudit_report, checkpolicy, sesearch,
  • sestatus, audit2allow, audit2why,
  • sealert, avcstat, seinfo and semanage

Session 10. User and Role Security

  • Role-based Access Control
  • Multi Category Security - MCS
  • Multi Category Security: translation and login
  • The chcat - change file security category
  • Defining a SecurityAdministrator: sudo, chcat and root

Lab 6. Role Based Policy Restrictions

Session 11. MLS, Users, Roles, Domain Transition, Macros and Types

  • Multi-Level Security - MLS
  • The strict Policy
  • General Identification
  • User Identification: system_u, users_u and root, Declaring Users
  • Role Identification - Role Dominance
  • Domain Transition
  • Polyinstantiation of Directories
  • Policy Macros
  • Types : Enforcement, Attributes, Aliases and Transitions for Objects
  • restorecond
  • Customizable Types

Lab 7 Creating a new types

Session 12 Contexts, Policies, Access Vector, Logs and Booleans

  • File Contexts
  • Manipulating Policies
  • Access Vector
  • Security Identifiers-SIDs
  • Statements: fs_use_* and genfscon
  • Context on network objects
  • Booleans: Creating and using new booleans
  • Enableaudit

Lab 8. Creating Policy Module

Lab 9 Mount Options and Custom port for squid


  • Task 1.  Create File Contexts, Create File Types, Create File Typealiases
  • Task 2.  Edit or Create Network Contexts
  • Task 3.  Domains - Create Domains: Macros, Building and Enhancing