9.11 The Road Ahead
Having completed this chapter, you know quite a bit about SELinux and
typical SELinux policies. If you're content to run
only relatively popular applications and prefer to rely on others for
assistance in troubleshooting and fixing the occasional problems that
you're likely to run into when using SELinux,
you'll know pretty much all you need to know.
But typical Linux users are seldom so complacent. Those that desire
even greater control over their computing affairs have merely begun
to learn what they need to know about SELinux. This book has covered
the fundamentals. But the SELinux policy is a sophisticated software
unit whose mastery demands significant study and experimentation.
Moreover, SELinux is still a relatively new software product and is
constantly undergoing change. So in working with SELinux, you should
anticipate that you will encounter many interesting puzzles and
challenges. If you resemble the typical Linux user,
you'll enjoy tackling and overcoming these. You
should also anticipate that your growing SELinux expertise will
enable you to better secure your systems and applications, which
should help you�and your management�sleep more soundly.
SELinux and the SELinux sample policy are powerful tools for securing
systems. But like other security tools, their proper installation and
ongoing use demand significant expertise. From this book, you can
learn how SELinux works and the syntax and semantics of the SELinux
policy language. But mastery of SELinux demands thorough
understanding of the policy domains associated with principal
programs and applications installed on your systems. And since
SELinux and its policies are regularly updated and improved,
understanding arises only from an ongoing process of study and
learning.
Here are some tips for developing a progressively greater
understanding of SELinux:
Maintain at least one system dedicated for testing new and revised
SELinux policies and releases. Begin a study of the TE files associated with important programs and
applications. Regularly review postings to relevant e-mail lists such as
fedora-selinux-list@redhat.com and
SELinux@tycho.nsa.gov. Experiment by creating new policies and observing the results.
May all your policies build correctly the first time and authorize
neither too few nor too many permissions!
|
No comments:
Post a Comment