2007 SELinux Symposium Tutorials

Introduction to SELinux Policy Development

Instructor: Joshua Brindle and Brian Williams, Tresys Technology

Tutorial Description: Introduction to writing SELinux policies.

Pre-requisites: Familiarity with Linux systems and administration. Basic familiarity with SELinux concepts is a plus.

Audience: Developers, security administrators, and system administrators.

This tutorial will introduce the student to all of the major concepts in SELinux needed to write and understand policies. The tutorial will cover the core concepts in SELinux and Type Enforcement and the techniques for creating a new policy.

At the end of the tutorial, the student will have a solid technical foundation for creating SELinux policies.

Max Attendees: 40

Advanced SELinux Policy Development

Instructors: Spencer Shimko and Chris PeBenito, Tresys Technology

Tutorial Description: Advanced SELinux policy topics including reference policy and hands-on policy writing.

Pre-requisites: The "Introduction to SELinux Policy" tutorial (or equivalent knowledge and experience).

Audience: Policy Developers, security administrators, and advanced system administrators.

This tutorial will focus on advanced SELinux policy development including reference policy and policy modules. Reference policy is a complete policy that serves as an easier to use and maintain replacement for the former strict and targeted policies. Policy modules, as opposed to a monolithic policy, provide a method to insert and remove discrete components of policy at runtime. This pair of tools appears in Fedora Core 5, Fedora Core 6, and the upcoming Red Hat Enterprise Linux 5 release.
The tutorial will provide the students with a chance to develop custom policy modules in the SELinux Integrated Development Environment (SLIDE) and test and debug existing policy modules.

This is a hands-on tutorial. Computers will be provided.

At the end of the tutorial, the student will have a solid understanding of how to use the reference policy and policy modules.

Max Attendees: 40

Building Cross-Domain and Perimeter Defense Solutions

Instructors: David Caplan, Tresys Technology, and Nick Selimis, Windermere Group

Tutorial Description: An in-depth look at advanced techniques used to create secure cross-domain and perimeter defense solutions with SELinux.

Pre-requisites: The "Introduction to SELinux Policy Development" tutorial (or equivalent knowledge and experience).

Audience: Developers, security administrators, and advanced system administrators.

Cross-domain and perimeter defense solutions (e.g., firewalls, email proxies, guards, etc.), by their very nature, require strong security that is hard to achieve with traditional security mechanisms. These solutions require comprehensive control over networking and the flow of information within the system in addition to standard least-privilege and system hardening techniques. SELinux provides an excellent foundation for these types of devices by providing the policy features needed for strong domain separation, kernel enforced information flow policies, and comprehensive least-privilege.

This tutorial covers the basic concepts that make SELinux an excellent choice for cross-domain solutions and network boundary devices, advanced policy development techniques for meeting these unique security requirements, information on how SELinux can meet or exceed common security standards for these devices, and insights into how applications can be architected to best utilize the policy features. This tutorial is based on the in-depth experience of the presenters in creating these types of solutions.

At the end of the tutorial the student will have a solid understanding of how SELinux can meet the security requirements of cross-domain solutions and network boundary devices.

Max Attendees: 40

Managing SELinux Systems

Instructors: Dan Walsh and Karl MacMillan, Red Hat Inc.
Tutorial Description: This tutorial is a hands-on, practical introduction to managing SELinux. We will cover the basics of what SELinux is and more importantly how to handle problems you may encounter on an SELinux machine. We will cover the way SELinux runs on Fedora Core 6/Red Hat Enterprise Linux 4/Red Hat Enterprise Linux 5 systems.

Pre-requisites: Knowledge of Linux system administration and security. Basic SELinux knowledge is helpful but not required.

Audience: System administrators and security professionals

Topics will include:

• Introduction to the targeted policy
• Modified commands and SELinux utilities
• Understanding SELinux log messages
• Examining setroubleshoot tool
• Customizing the policy with booleans
• Generating local policy customizations
• Using audit2allow to generate a local policy module
• Managing file labeling
• Backup and disk management with SELinux
• Differences between RHEL4 and RHEL5
• Using system-config-selinux
• Future directions in SELinux targeted policy