GL429 · 4 days · 6+ hrs hands-on labs

RHEL SELinux Policy Administration

Available for RHEL

This hands-on course equips Linux administrators and security professionals with the skills needed to manage and customize SELinux policies on Red Hat Enterprise Linux 9. Students move beyond simply toggling enforcing mode to gain a thorough understanding of the Mandatory Access Control architecture underlying SELinux, including type enforcement, role-based access control, and the policy framework that governs process and file interactions across the system.

The course covers security contexts and labels, enforcing and permissive modes, and file context management with semanage and restorecon. Students learn to configure booleans, manage network port labeling, and examine policy internals with seinfo and sesearch. The curriculum extends into SELinux user and role mappings, targeted and MLS policy types, MCS translation, polyinstantiated directories, and Linux security hardening for virtual machines and containers via sVirt.

Extensive lab exercises give students practical experience troubleshooting AVC denials, analyzing audit logs, generating policy modules with audit2allow, and writing custom policy modules from scratch using type enforcement files, file context definitions, interface files, and m4 macros. Students leave the course prepared to maintain, extend, and troubleshoot SELinux policies in production RHEL environments.

Who Should Attend

Linux system administrators, security engineers, and IT professionals responsible for hardening RHEL systems who need to understand, manage, and extend SELinux policies beyond basic enforcing-mode operations.

Skills You'll Gain

Evaluate when Mandatory Access Control provides security advantages over traditional Unix Discretionary Access Control
Configure SELinux modes and manage enforcement using getenforce, setenforce, and configuration files
Manage file security contexts using chcon, restorecon, and semanage fcontext
Administer SELinux booleans to toggle policy rules with getsebool and setsebool
Configure SELinux network port labels to secure services on standard and non-standard ports
Examine and query loaded SELinux policy using seinfo and sesearch
Map Linux users to SELinux users and roles to implement role-based access control
Troubleshoot SELinux access denials by analyzing AVC audit log messages
Generate custom policy modules from AVC denial logs using audit2allow
Write SELinux policy modules using type enforcement, file context, and interface source files
Manage SELinux policy modules with semodule and configure permissive domains for targeted troubleshooting
Apply SELinux protections to virtualized and containerized environments using sVirt labeling

Chapters & Labs

21 labs · 6+ hours hands-on
  1. Computing Security & SELinux Overview 2 labs · 40 min
  2. Working with SELinux 7 labs · 100 min
  3. Policies
  4. Users & Roles 1 lab · 15 min
  5. Troubleshooting SELinux 1 lab · 15 min
  6. Writing Policy Modules 5 labs · 75 min
  7. Bonus Labs: 5 labs · 60 min

Prerequisites

GL120 (Linux Fundamentals) and GL250 (Enterprise Linux Systems Administration), or equivalent experience with Linux command-line administration, file permissions, and service management.