Customer Reviews

SELinux by Example: Using Security Enhanced Linux

5 star:		(1)
4 star:		(3)
3 star:		(1)
2 star:		(1)
1 star:		(0)

 

 

SELinux by Example is not my first venture into learning about SELinux, but in fact my second. My first was the study guide for the RedHat SELinux Exam (which you only get if you pay for the course, so i realise it is not a cheap option). While the Red Hat material is very limited (to be covered in 4 days and with the aim of preparing you for an exam) it has three gleaming advantages:
1) it is current
2) the exercises are practical and come with solution in the book; and
3) there are nowhere near as many mistakes.

So let's cut to the downsides of this book:
1) it's dated (now in 2008)
2) there are mistakes, many mistakes but thankfully most are obvious
3) there are no easily accessible answers. They might be online, but so far i have not found them...

So that sounds pretty bad, but actually the book is very good, mainly because of its depth. It seems to go through the entire beast that is SELinux, using non-contrived examples of policy. Unfortunately it does not help you in administering your system all that much (though there is a chapter devoted to this). The reason for this is simple: this book aims to tell you how SELinux works, rather than how to use it. In other words, this book needs to be read together with something more practical. The practical content of the book is probably confined to the last two chapters which amounts to just shy of 70 pages out of 425 including index.

Honestly, i am torn on this: on the one hand i'm disappointed about how out of date the book has gotten, and how quickly, but at the same time i understand: SELinux is still evolving significantly AND how distro's are using it is still evolving. Just see some of the references where the book acknowledges its shortcomings: The authors know where things are headed, they know their stuff. Which on the other side of the spectrum is why this book is so good as an introduction: you cover everything, you have a really solid background of the area, but you are left wanting more, you are left wanting ... well >practical< examples, rather than the examples in the text.

I would recommend that anyone wanting to get into using SELinux get material of their distro's support site (Red Hat / Fedora have guides and links to other materials which are excellent and free) and use those materials with this book. I have yet to find a source that ties all of SELinux together so well, but at the same time, there is the sensation that this material will need a revision very soon.

One last issue is that the book is a little too formulaic. The text will inform you there is a summary of syntax on page X, where X is the page you are on and the summary is the next paragraph. It just rubs me the wrong way, it is pointing out the obvious, it is adding volume where none is needed. The text is concise, but for some reason it seems the authors want to add bloat and volume when otherwise they get right to the point.

In conclusion, consider this book a foundation, even if its not as current as you might want (and those issues are related more to module based policy writing which is covered in sufficient depths, especially because examples are included with your SELinux policy anyway), and read it with the man pages and the documentation you get with your distro and you'll be fine.

If you are a linux or unix user, then you're probably pretty familiar with the permissions settings on files. It's a basic methodology that is essentially unchanged over 20 years or more or unix development. But its shortcomings have been just as well known to unix experts over that time.

What Mayer et al demonstrate is that the latest linux 2.6 has a very interesting add-on. SELinux. It is incorporated by default. So if you're running linux 2.6, it's been present all along, hidden in the background. The book describes what it offers. A vastly improved and very granular security model. Based on the concept of type enforcement. It goes way beyond earlier implementations of Mandatory Access Control.

The book can be heavy sledding if all this is new to you. Luckily, it describes a neat GUI tool, apol, that you can run as root. It can greatly assist understanding the use and making of rules.

Most users and sysadmins of linux machines might still not require the active use of SELinux. There is a considerable investment in time needed, to understand and use it. Plus, most of the examples cited in the book refer to government or classified contexts. Outside these, you have to really ask yourself if it's germane to you.

This book offers a lot of information on the subject, and seems to focus generally on policy writing. However, there are a lot of new features in the newer Fedora Cores that it doesn't cover very well. Also, it talks about a lot of issues that, as long as you don't have a super old system, don't really matter anymore.

I'm about a hundred pages into the book. I am still completely confused. If this book was intended to describe SELinux "by Example" it certainly hasn't. Furthermore, it seems to be a bit out of date, focusing on old distributions like Fedora Core 5. It appears to place a lot of focus on more obscure tools (written by the author and the author's company) as opposed to the more "standard" tools which are included in standard distributions.

I'm the type of administrator that installed fedora 13 at home, encountered SELinux and lastly installed fedora 14.
I wanted SELinux by Example to show me how to set up rules for CGI sub-systems. But by the time the book was delivered, I already figured it out. This signaled the end of 2 - 3 weeks of head banging! Then I was able to continue testing a program port.

As I flipped through the book, it showed me what I needed to do if I wanted to set up rules for including my own applications on LINUX. Hence this book is a great tool for customizing SELinux. Now, all new applications can keep on enforcing security. My favorite subject is managing roles, even as an associated "domain" transitions to another. Both high-class administrators and endusers alike will trust my services guarded by this security system.

--- DISCLAIMER: This is a requested review by PTR, however any opinions expressed within the review are my personal ones. ---

The book SbE comes in 3 parts and additionally with 45 page strong Appendix
containing more detailed information where to get additonal information from.

Part I - A general overview (p. 1-55)
Part II - The SELinux Policy language (p. 57-236)
Part III - Creating and writing SELinux Security Policies (p. 237 - 362)
Appendix A (p. 364 - 409)

The book is mainly about policies itself and how to implement them.
Writing those policies is most of the time a time intensive and error prone task.

Readers planning on understanding SELinux should bring some time with them to fully understand and appreciate
the examples given for the "example" policy (f.e. strict or targeted) and the "reference" policy.

Whats going to prove useful is the hints given towards which trade-offs you may need to take when deciding
f.e. to use the strict policy. While the topic itself might seem dry for many readers the book will prove
useful for those genuinely interested.

The book does describe the most useful tools to put the reader straight on track and avoid loosing time.
The lovely prepared useful details like the 17 page index are a nice feature you will find yourself refering
to when in need. Some readers might find that they better leave the setup of SELinux to professional service
companies, but still the book serves to get an understanding what you can and possibly cant do with SELinux.

The article "Secure Linux - security kit review" from Hakin9's online library serves as a nice compliment to the book.