Home > Training > Red Hat Linux > S429

Red Hat Enterprise SELinux Policy Administration (S429)

Download PDF Download Course Outline (PDF)
Course Description Schedule Course Outline
 

Who should attend

RHS429 is designed for computer security specialists and other system administrators responsible for setting and implementing security policies on a Linux computer. Applications programmers also may consider taking the course to understand how to provide a set of SELinux policies for third party applications.

Participants need not have indepth knowledge of SELinux, but should have a basic understanding of the SELinux security layer. For example, SELinux information as taught in Red Hat Linux Administration (incl. Examensprüfung RH202) (133) or RHCE Rapid Track Kurs (incl. RHCSA & RHCE Examensprüfung) (300) is sufficient.

Prerequisites

RHS429 requires RHCE-level skills. Prerequisite skills can be shown by passing the RHCE Exam in either RH302 or RH300, or by taking RH253 or by possessing comparable skills and knowledge.

Course Objectives

Among the most significant features of Red Hat Enterprise Linux is SELinux (Security Enhanced Linux), a powerful, kernel-level security layer that provides fine-grained control over what users and processes may access and execute on a system. By default, SELinux is enabled on Red Hat Enterprise Linux systems, enforcing a set of mandatory access controls that Red Hat calls the targeted policy. These access controls substantially enhance the security of the network services they target, but can sometimes affect the behavior of third-party applications and scripts that worked under previous versions of Red Hat Enterprise Linux.

RHS429 provides a four day tutorial on SELinux and SELinux policy writing. The first day of the course provides a introduction to SELinux, how it operates within the Red Hat targeted policy, and the tools used to manipulate it. The class then will spend the remaining days learning how policies are written, compiled, and debugged.

This culminates in a project in which participants will create a set of policies from scratch for a previously unprotected service. The class will analyze the service, determining its security needs; design and implement a set of policies; test and fix the policies; document the service's new policies so that others can effectively administer the service.

Course Content

Unit 1 - Introduction to SELinux
  • Discretionary Access Control vs. Mandatory Access Control
  • SELinux History and Architecture Overview
  • Elements of the SELinux security model:
  • SELinux Policy and Red Hat´s Targeted Policy
  • Configuring Policy with Booleans
  • Archiving
  • Setting and Displaying Extended Attributes
  • Hands-on Lab: Understanding SELinux

Unit 2 - Using SELinux
  • Controlling SELinux
  • File Contexts
  • Relabeling Files and Filesystems
  • Mount options
  • Hand-on Lab: Working with SELinux

Unit 3 - The Red Hat Targeted Policy
  • Identifying and Toggling Protected Services
  • Apache Security Contexts and Configuration Booleans
  • Name Service Contexts and Configuration Booleans
  • NIS Client Contexts
  • Other Services
  • File Context for Special Directory Trees
  • Troubleshooting and avc Denial Messages
  • setroubleshootd and Logging
  • Hands-on Lab: Understanding and Troubleshooting the Red Hat Targeted Policy

Unit 4 - Introduction to Policies
  • Policy Overview and Organization
  • Compiling and Loading the Monolithic Policy and Policy Modules
  • Policy Type Enforcement Module Syntax
  • Object Classes
  • Domain Transition
  • Hands-on Lab: Understanding policies

Unit 5 - Policy Utilities
  • Tools available for manipulating and analyzing policies
  • Hands-on Lab: Exploring Utilities

Unit 6 - User and Role Security
  • Role-based Access Control
  • Multi Category Security
  • Defining a Security Administrator
  • Multi-Level Security
  • The strict Policy
  • User Identification and Declaration
  • Role Identification and Declaration
  • Roles in Use in Transitions
  • Role Dominance
  • Hands-on Lab: Implementing User and Role Based Policy Restrictions

Unit 7 - Anatomy of a Policy
  • Policy Macros
  • Type Attributes and Aliases
  • Type Transitions
  • When and How do Files Get Labeled
  • restorecond
  • Customizable Types
  • Hands-on Lab: Building Policies

Unit 8 - Manipulating Policies
  • Installing and Compiling Policies
  • The Policy Language
  • Access Vector
  • SELinux logs
  • Security Identifiers - SIDs
  • Filesystem Labeling Behavior
  • Context on Network Objects
  • Creating and Using New Booleans
  • Manipulating Policy by Example
  • Macros
  • Enableaudit
  • Hands-on Lab: Compiling Policies

Unit 9 - Project
  • Best practices
  • Create File Contexts, Types and Typealiases
  • Edit and Create Network Contexts
  • Edit and Create Domains
  • Hands-on Lab: Editing and Writing Policy

Duration: 4 days

Prices (excl. VAT):
  • Switzerland: 2,880.- €
  • Germany: 2,880.- €
 
Click on the location to go directly to the booking pageSchedule
Switzerland

Currently there are no local training dates scheduled.  For enquiries please write to info@flane.ch.

Germany
29/07/2013 - 01/08/2013 Stuttgart
02/12/2013 - 05/12/2013 Munich
Fast Lane will carry out all guaranteed training regardless of the number of attendees, exempt from force majeure or other unexpected events, like e.g. accidents or illness of the trainer, which prevent the course from being conducted.