Skip Navigation Links

Course Length:
5 Days
Course Description:
RHS430 introduces advanced system administrators, security administrators, and applications programmers to SE Linux policy writing. Participants in this course will learn how SE Linux works; how to manage SE Linux; and how to write an SE Linux policy. This class culminates in a major project to scope out and then write policies for previously unprotected services. An exam will be given on the final day of class.
Who Should Attend:
RHS430 is designed for computer security specialists and other system administrators responsible for setting and implementing security policies on a Linux computer. Applications programmers also may consider taking the course to understand how to provide a set of SE Linux policies for third party applications. Participants need not have in depth knowledge of SE Linux, but should have a basic understanding of the SE Linux security layer. For example, SE Linux information as taught in RH133 or RH300 is sufficient.
Benefits of Attendance:
Upon completion of this course, students will be able to:
  • Understand how SE Linux operates within the Red Hat targeted policy.
  • Understand how policies are written, compiled, and debugged.
  • Create a set of policies from scratch for a previously unprotected service.
  • Analyze the service, determining its security needs.
  • Design and implement a set of policies.
  • Test and fix the policies.
  • Document the service's new policies so that others can effectively administer the service.
Prerequisites:
RHS430 requires RHCE-level skills. Prerequisite skills can be shown by passing the RHCE Exam in either RH300, or by taking RH253 or by possessing comparable skills and knowledge.
Course Outline:
  • Unit 1 - Introduction to SELinux
    1. Discretionary Access Control vs. Mandatory Access Control
    2. SELinux History and Architecture Overview
    3. Elements of the SELinux security model:
    4. SELinux Policy and Red Hat's Targeted Policy
    5. Configuring Policy with Booleans
    6. Archiving
    7. Setting and Displaying Extended Attributes
    8. Hands-on Lab: Understanding SELinux
  • Unit 2 - Using SELinux
    1. Controlling SELinux
    2. File Contexts
    3. Relabeling Files and Filesystems
    4. Mount options
    5. Hand-on Lab: Working with SELinux
  • Unit 3 - The Red Hat Targeted Policy
    1. Identifying and Toggling Protected Services
    2. Apache Security Contexts and Configuration Booleans
    3. Name Service Contexts and Configuration Booleans
    4. NIS Client Contexts
    5. Other Services
    6. File Context for Special Directory Trees
    7. Troubleshooting and avc Denial Messages
    8. setroubleshootd and Logging
    9. Hands-on Lab: Understanding and Troubleshooting the Red Hat Targeted Policy
  • Unit 4 - Introduction to Policies
    1. Policy Overview and Organization
    2. Compiling and Loading the Monolithic Policy and Policy Modules
    3. Policy Type Enforcement Module Syntax
    4. Object Classes
    5. Domain Transition
    6. Hands-on Lab: Understanding policies
  • Unit 5 - Policy Utilities
    1. Tools available for manipulating and analyzing policies
    2. Hands-on Lab: Exploring Utilities
  • Unit 6 - User and Role Security
    1. Role-based Access Control
    2. Multi Category Security
    3. Defining a Security Administrator
    4. Multi-Level Security
    5. The strict Policy
    6. User Identification and Declaration
    7. Role Identification and Declaration
    8. Roles in Use in Transitions
    9. Role Dominance
    10. Hands-on Lab: Implementing User and Role Based Policy Restrictions
  • Unit 7 - Anatomy of a Policy
    1. Policy Macros
    2. Type Attributes and Aliases
    3. Type Transitions
    4. When and How do Files Get Labeled
    5. restorecond
    6. Customizable Types
    7. Hands-on Lab: Building Policies
  • Unit 8 - Manipulating Policies
    1. Installing and Compiling Policies
    2. The Policy Language
    3. Access Vector
    4. SELinux logs
    5. Security Identifiers - SIDs
    6. Filesystem Labeling Behavior
    7. Context on Network Objects
    8. Creating and Using New Booleans
    9. Manipulating Policy by Example
    10. Macros
    11. Enableaudit
    12. Hands-on Lab: Compiling Policies
  • Unit 9 - Project
    1. Best practices
    2. Create File Contexts, Types and Typealiases
    3. Edit and Create Network Contexts
    4. Edit and Create Domains
    5. Hands-on Lab: Editing and Writing Policy