►
From YouTube: Red Hat Enterprise Linux Presents (E15): SELinux Primer
Description
A show that features the people and technology that make Red Hat Enterprise Linux into the world’s leading enterprise Linux platform.
A
B
C
B
C
C
C
Yeah,
so
why
don't
we
just
start
off
with
just
a
little
bit
about
what
sc
linux
is
sc.
Linux
is
a
component
of
the
red
hat
enterprise
linux
kernel
that
applies
contexts
to
files,
ports
and
processes
on
the
system
and
then
has
a
just
enormous
rule
set
that
describes
what
should
be
given
access
to
whom
so
like.
C
If
you
are
a
web
server
process,
you're
running
with
context
and
based
off
of
that
context,
there's
rules
that
say
web
server
processes
should
be
allowed
access
to
the
following
kinds
of
files
and
be
able
to
open
and
connect
to
them.
This
type
of
port
on
the
system.
Yes,
and
so
we
managed
that
just
enormous
set
of
rules
through
something
called
the
essence
policy
and
then
all
the
little
components
kind
of
fall
into
place,
and
so
just
start
diving
into
that.
If
you
would
like.
B
Yeah,
I
just
want
to
point
out
folks
that
the
most
recent
kubernetes
or
run
c
vulnerability
run
c
being
the
container
runtime
underneath
everything
that
basically
runs
in
a
container
these
days.
The
the
vulnerability
was
stopped
dead
in
its
tracks.
If
sc
linux
was
running
in
an
enforced
mode
so
or
enforcing
mode,
I
should
say
sc.
Linux
is
an
awesomely
powerful
tool
and
if.
C
B
C
The
other
thing
that
will
make
your
life
easier
is,
if
you
recognize
that
you
should
just
put
things
where
they're
expected
like,
if
you
do
that,
oh
and
and
run
things
where
they're
expected
right.
So
don't
don't.
Have
your
web
server
attached
to
some
wonky
port
number
because
that's
going
to
create
problems,
but
if
you
attach
it
to
port
80
port
443
things
will
just
work
based
off
of
the
default
sls
policy.
And
if
you
want
to
veer
from
those
defaults,
you
can.
C
C
Right,
so
I
think
this
one
is
probably
the
most
important
right
here
right,
we're
running
an
enabled
mode.
The
other
thing
that
would
be
important
is
the
policy
that
you're
using
again.
This
is
the
set
of
rules
that
get
loaded
we
ship
with
several,
but
the
default
policy
that
we
use
is
called
targeted
because
it
targets
specific
services,
but
leaves
anything
outside
of
that
list
as
unconfined
right.
So
right
processes
that
don't
come
with
rel
are
going
to
run
without
any
seonix
context
applied
to
them.
B
B
Not
familiar
with
the
interface
scott's
using
right
now,
this
is
called
cockpit,
it's
part
of
rel
and
has
been
part
of
fedor
for
a
while.
Now
it
gives
you
a
web-based
terminal
as
well
as,
as
you
can
see,
everything
on
the
left,
a
number
of
like
options
that
you
can
choose
from
to
tweak
your
system
as
desired.
C
Yeah
and
you'll
notice
that
there's
an
s
linux
option
down
here
there
is
which
actually
like
gives
you
some
stuff.
So
for
for
this,
one
right,
sc
status
was
what
we
used
on
the
command
line.
You
could
just
look
here
to
see
whether
sc
linux
is
turned
on
or
off
right
and
we'll
get
to
some
of
these
errors
in
a
minute
but
yeah.
C
Wanting
to
look
around
at
kind
of
what
what
the
components
of
system
are,
there's
an
extra
option
included
in
a
lot
of
the
commands
that
would
interact
with
sc
linux,
go
to
capital
z.
That
will
show
you
the
seo
x
context.
So,
for
example,
I
can
ls
dash
capital
z
and
what
that
adds.
Is
this
field
here
to
our
output
and
that's
the
essay
linux
contexts
of
these
files?
So
I
did
a
listing
in
root's
home
and
you
can
see
that
they're
admin,
home
t
type
files
and
if
I
did
something
in.
B
B
C
B
C
C
A
C
C
B
C
A
A
C
B
B
C
Except
it's
running
on
another
box
which
has
one
browser
tab,
I'm
looking
at
it.
It's
got
one
browser
tab,
it's
debatable!
No,
actually,
the
the
reason
it
takes
so
long
is
because
I've
been
really
terrible
about
being
connected
to
the
vpn
and
making
sure
that
I
have
like
updates
all
the
updates,
yeah
yeah,
and
so
it's.
B
B
B
C
B
It's
not
scattered
there,
they
have
a
front
desk
and
a
back
desk.
The
back
desk
is
like
non-main
computer
there's,
there's
a
fedora
box
and
a
mac
back
there.
They
are
used
for
specific
things,
this
desk,
that
is
on
wheels
and
can
move
around
and
has
a
nice
camera
and
mic
attached
to
it
are
used
for
work
things
like
this
channel,
so
I
don't
want
to
use
a
program
that
would
allow
me
to
use
the
mouse
and
keyboard
on
the
screen
behind
me,
because
I
can't
see
it.
A
C
C
But
if
we
look
at
a
randomly
created
directory
right,
it
is
this
type,
not
httpd,
sys
content,
t
type.
So
if
I
go
in
and
I
update
my
configuration
for
apache-
and
I
tell
it
to
share
content
out
of
this
directory-
it's
not
going
to
work
because
when
it
makes
the
file
open
requests
to
go
into
this
directory
and
start
sharing
files,
it's
going
to
violate
the
select
policy
and,
what's
going
to
happen,
is
the
kernel
will
simply
refuse
to
to
offer
that
action.
C
C
C
C
That's
not
one
of
the
kinds
of
contexts.
Httpdt
type
processes
are
permitted
and
so
to
the
requesting
application,
the
apache
server,
it
was
simply
told.
No,
you
cannot
have
that
action
and
then
the
apache
server
interpreted
that
return
from
the
kernel
as
forbidden,
which
the
unknowing
might
read
this
error
and
go.
Oh,
it's
a
permissions
thing
right
because
it's
forbidden
and
that's
a
permissions
error,
but
right
when
we.
A
C
A
C
Will
look
at
a
configuration
and
we'll
look
at
the
holding
directory,
in
this
case
var
www.html
and
go
okay?
If
someone
was
to
place
a
new
file
in
this
directory,
what
context
should
it
be
given
and
I'll
just
take
that
context
that
I
would
normally
apply
to
new
files
and
I'll
go
ahead
and
adjust
this
file?
You
pass
me
as
an
argument
to
make
sure
it's
the
same.
B
C
C
The
third
piece
is
the
type
there's
the
three
big
ones
and
then
there's
two
additional
but
optional
contacts,
which
is
sensitivity
and
category
sensitivity
and
category
is
used.
If
you
wanted
to
maybe
have
a
much
more
grandiose
setup
where,
in
addition
to
the
process
being
looked
at,
it
should
be
what
user
is
the
process
running
as
or
does
that
user
have
the
right
security
credentials
to
access
this
sensitivity
of
file
and
so
in
a
place
where
information
might
be
offered
at
various
levels
of
security
clearance,
for
example?
C
That's
where
sensitivity
and
category
could
come
into
place
because
just
because
you
are
certified
for
secret
information,
doesn't
necessarily
mean
you
get
access
to
all
secret
information
across
the
entire
organization.
You
should
still
only
get
secret
information,
that's
in
your
specialty
or
your
like
purview
of
of
ability.
C
C
B
Don't
have
to
remember
all
that
fun
stuff
right,
which
it's
all
very
important
and
valid
at
some
point
in
time,
and
you
know,
while
you're
using
sc
linux
but
like
restore
con,
is
just
like
all
right.
I'm
going
to
make
sure
this
entire
directory
is
good
to
go
now
off.
You
go
right
like
I
can
just
basically
say
inherit
and
go.
C
C
I
said
that
if
we
created
this
random
directory
right,
it's
not
in
the
place
that,
where
red
hat
normally
expects
it
to
live,
so
it's
not
going
to
get
contexted
correctly
and
sure
enough
right,
it's
defaulty
and
apache
does
not
have
access
to
that.
We
can
prove
that
by
going
through
and
like
redirecting
stuff
there.
So.
A
C
A
C
A
C
A
C
C
All
right
so
earlier,
when
we
created
the
web
directory,
we
had
changes
context
and
then
it
worked
right.
It
was
getting
access
there
and
everything
was
cool
when
I
put
a
file
inside
of
that
directory,
it
also
got
this
default
t
context
which
apache
is
not
given
access
to.
So
what
happened
was
my
client
requested
the
index
html
the
kernel
refused
it
so
apache
then
served
up
the
test
page
instead.
C
C
C
B
C
B
C
Because
it's
not
looking
at
the
context
of
the
directory
that
owns
it
right
make
the
decision.
It's
actually
looking
at
another
set
of
configuration
on
the
system
to
figure
out
what
it
should
do,
because
slash
web
isn't
in
that
other
place,
it's
defaulty
yeah
yeah.
So
let
me
figure
out
the
command
to
look
that
up
s.
B
A
A
B
C
C
A
C
A
B
B
C
B
C
I
create
subdirectories
here
because
like,
but
maybe
have
some
javascript
app
or
something
else
that
should
live
here,
that
directory
and
any
of
its
ch
children
directories
they'll
all
get
contexted
with
https
content
t
and
if
you
need
to
do
something
like
make
those
scripts
types,
you
could
create
an
additional
se
manage
rule
or
a
file
context
rule
for
that
subdirectory.
That
should
get
a
different
context
to
sign
the
stuff
that's
put
in
there.
C
B
C
C
A
A
C
C
A
C
C
A
C
C
A
C
Nope
still
now
all
right.
Well,
I
don't
know
I
have
to
look
it
up
yeah
it's.
What
I
was
thinking
was
that
the
ordering
inside
the
file
context
settings
might
be
wrong
like
we
need
to
do
the
more
specific
directory.
First,
that's
why
I
deleted
them
both
and
then
added
them
back
in
the
wrong
or
in
the
opposite.
A
C
But
that's
not
that's,
not
clearly,
not
the
problem,
so
something
different,
so
yeah,
maybe
that's!
Maybe
that's
foot
down
trying
to
do
multiple
contacts.
Things
get
harder,
or
maybe
it's
that
if
you
do
a
chikan
dash
capital,
r
or
a
restore
con
dash
capital
r
things
can
get
a
little
bit.
Wonky
weird.
B
B
And
I
should
point
out
in
the
docs
it
says
you
can
use.
You
know
individual
domains
to
set
things
as
permissive
versus
not
permissive
or
enforcing.
Again,
that's
another
thing
where
it's
like
you're
playing
with
fire.
If
you
don't
do
that
right,
you
know
so
sc
linux
is
very
flexible.
You
can
configure
it.
However,
you
see
fit,
but
as
you're
doing
that,
you
have
to
make
sure
that
you're
not
creating
a
security
hole
in
the.
C
B
C
C
C
C
B
B
C
A
A
B
A
B
A
C
C
A
A
C
B
A
A
C
C
B
B
A
C
C
So
when
you
know
what
the
primitives
are
right,
if
you're
process
context
type
your
file
context,
type,
your
port
context
type
and
the
policy
that
kind
of
controls,
the
inner
meshings
of
them,
you
can
then
make
better
decisions
on
like
how
to
approach
fixing
this
sc
linux
related
issue.
Besides
set
force,
zero.
B
B
B
If
it
had
not
been
for
dan's
work,
the
clinics
would
not
exist
or
it
would
be
called
something
completely
different
and
work
completely
differently,
maybe
but
yeah.
Thank
you,
dan
walsh,
for
sc
linux.
I
remember
reading
that
original
nsa
brief
when
it
like
dan
first
wrote
it
so
way
back
in
the
early
2000s.
B
C
B
A
B
B
A
C
B
C
B
B
C
C
B
C
Right
and
at
the
same
time,
you
know,
windows
and
microsoft
were
like
wow
it'd,
be
really
great.
If
we
could
have
like
scripting
language
that
we
can
apply
across
all
our
boxes
and
they
came
up
with
with
the
powershell
and
so
like.
We
were
trying
to
do
things
their
way,
they're
trying
to
do
things
our
way
and
at
some
point
we're
like
wait.
What?
Why
are
we
trying
to
do
things
like
that,
when
our
operating
system
doesn't
actually
kind
of
lend
itself
to
that
method
of
management?