Security-Enhanced Linux: Managing Confined Services

January 21, 2009

My employer, Red Hat, is allowing me to work on another Security-Enhanced Linux (SELinux) guide for Fedora. The name is not decided yet, but will be something like “Security-Enhanced Linux: Managing Confined Services”.

The guide is aimed at system administrators. It is planned to cover a brief introduction to SELinux, confined and unconfined services, and how to perform system administration tasks without turning SELinux off. Services will include the Apache HTTP Server, Samba, FTP, BIND, and NFS…Some of the tasks include:

* sharing files via Samba, FTP, NFS, and HTTP.
* sharing files between multiple services (for example, files accessible to the Apache HTTP Server (httpd) and FTP (vsftpd).
* manage DNS and BIND (for example, allow named to accept zone updates).
* customize the ports services listen on.
* use non-default directories to store files for services.

It is planned to go into detail about the types available for each service, as well as Booleans to cater for ways services can be run. Hopefully some of these items can find their way back into the man pages.

A brief (and in progress) information plan and content specification can be found at, which covers items to include. Feel free to mail me (mmcallis redhat com) with any ideas or things you would like included.