Subtitles of the Movie

For the RHCE Exam Prep Guide you now need to know security-enhanced Linux. This video provides an overview. We discuss details when we discuss specific services in other videos. Security-enhanced Linux is based on the concept of mandatory access control. It's where access is controlled through security context set on files and directories. Contexts are available in three different categories: user, role, and type. Current security-enhanced Linux contexts can be read with the ls-Z command, that's an upper case "Z." As you can see, this particular file has a system user, object role, and a user home type, and there are a variety of options available. When you boot your system, security-enhanced Linux is started based on the settings in the etc slash sysconfig slash selinuxconfig file. Security-enhanced Linux can be started in enforcing, permissive, or disabled mode. And by default, security-enhanced Linux uses targeted policies, in other words, network daemons as targeted in the selinux slash booleans directory are protected. As the term Boolean suggests, the value of such files are either 1 or 0. In other words, they are enabled or disabled. Let's look at the value of the selinux slash Booleans slash ftp underscore home underscore dir file. It's zero. In other words, when remote users access the local ftp server and try to access their home directory, security-enhanced Linux stops them. Security-enhanced Linux's contexts could be changed with a cchon command. As an example, I'm setting up Web pages on a virtual host, and to make it work with security-enhanced Linux I have to make sure that the contexts are the same as the default. As you may already know, the default configuration file for Web pages is in the var www directory. And this gives me the appropriate security-enhanced Linux contexts. What I need to do is use the cchon command to get the contexts of the vhost directory to be the same as the contexts shown here. With the cchon command, I can specify a user context, specifically system underscore u. I don't have to specify the role, since it already matches, then I can specify the type. And I apply it to the vhost directory. And there it is. The security-enhanced Linux contexts now match. I could skip a step and just use the reference switch to set the contexts on the vhost directory to be the same as those already set on the var slash www directory. One more thing about security-enhanced Linux. In Red Hat Enterprise Linux 5 there is a troubleshooting browser. It's available only in the GUI, and I find it to be quite valuable. For example, when I had trouble accessing a home directory using Samba, I saw this entry from the browser, which even included a tip on enabling access. In other words, if I run this command, the next time I try to access my home directory via Samba, at least security-enhanced Linux won't be stopping me.