SELinux: NSA's Open Source Security Enhanced Linux

The problem with all technical books is that they are quickly dated. I find online information a better source these days.

Selinux is a conscious attempt to fundamentally rework and improve linux security. Previously, or more to the point, in most current linux machines, the security was somewhat of an ad hoc approach. This is mitigated by a formidable array of open source IDS tools like Ethereal and Snort that let a sysadmin often successfully depend her network and machines.But as the frequency and virulence of malware attacks has increased, the Selinux of this book may be a timely reinforcing of the operating system. As McCarty explains, this book is geared towards a sysadmin, as opposed to a programmer. It discusses the new things you should know. Especially the concepts of role based access model and of domains. The former has shades of DEC's VMS, which had a very mature implementation. Or those of you with mainframe experience may also recognise familiar ideas.Programmers may find the book a little sparse, as mentioned above. But possibly McCarty is devising a sequel for them.

This book is dated, so if you're looking for details on 2.6 kernel implementations you're going to be disappointed. Worse still, the book doesn't cover distributions that don't already have SELinux support. Overall I found the discussion of the theory of SELinux to be good, but implementation details were sorely lacking. Ultimately it didn't answer the questions I had (how do I install SELinux on Mandriva and configure it) so wasn't worth the price.

This book is a great introduction to the topic of SELinux because of the information on its developmental background and lucid description of the objectives, advantages and maintenance of a SELinux system. I would recommend this book to someone who has a firm grasp of basic security concepts and programming principles and is interested in getting exposure to the security enhanced model of Linux.

This book is may not be reflective on current systems and solutions for Linux, if using for a reference and avoiding OS related content it can be useful. I returned the book as it was not beneficial to the current principles I wished to study.

I was impressed with the quality of the book. This was my first purchase with Amazon, with used books. It looks like a new ones. It was a pleasant surprise when I received. Thank you all, for the great and professional job.

Bill's book opened a door to the new world of SELinux which few administrators dared to enter. Over the last 7-8 years many changes have occurred. Simply using the older Discretionary Access Control (DAC) methods is no longer good enough for security. Now more than a decade after the introduction of SELinux by U.S. National Security Agency the open-source world has the ability to configure Mandatory Access Control (MAC) based on the Trusted Computing Base standards for B1/EAL4 processing security based in labels. This is an impact is bigger than the release of the original Starwars movie. If O'Reilly will support Mr. McCarty it's no doubt a well updated "How-to in a detailed Step-by-Step" edition of this historic book will sell, garnering 5 stars.In labeled based security the standard DAC permissions (read-write-execute by User ID and Group ID) allow all kinds of system call to run, which is the crux of malicious attacks. Using TCB-B1 (aka ISO-15408 EAL4) label based security it's very different. This security design from the past (1970) had remained financially out of reach for decades, yet its now available to everyone willing to learn.Imagine you went berserk like a mad person with a p-touch labeling almost everything in computer cyber-space: data files, file systems (aka volumes), individual applications, system processes, users. Then as imperial ruler set your rules of acceptable use for each request (aka context, what gets to use each, with everything else blocked). That is what Bill is showing you. That is precisely how SELinux works in 2013 with full support built in RedHat Linux distributions. WHEN a buggy script or other bug is exploited by a hacker it no longer means their success with your loss of system integrity (control). Any request not specifically allowed is DENIED. You will probably remain in control of your system if you invested a tad of effort to learn the SELinux implementation. Frankly it's easier than learning Cisco iOS commands. An just like anything else worth getting paid to perform - you will need some practice. It's far easier than when this book was published. SELinux is the light-saber of Linux so try to be careful with these new powers oh young Jedi in training.Semper fidelis

Als ich dieses Buch kaufte, war es die einzige vernümftige Einführung in SELinux.Heute ist der dieses Buches durch die technische Enwicklung wie u. a. der Einführung der modularen Referenzpolicy inhaltlich überholt, so dass man jeden, der sich für dieses Thema interessiert nur dazu raten kann, sich ein Werk neuerem Datums zu zulegen.