In this article:
Sven Vermeulen, the author of these two books, is deeply involved in the Gentoo community.
Quoting his biography from the book introduction:
In 2003, he joined the ranks of the Gentoo Linux project as a documentation developer and has since worked in several roles, including Gentoo Foundation trustee, council member, project lead for various documentation initiatives, and (his current role) project lead for Gentoo Hardened SELinux integration and the system integrity project.
He is both knowledgeable technically, pedagogically and in SELinux. In these books, he uses his talent to spread the light on a domain which is often conceived as obscure and daunting, explaining in a clear and effective way how and why the things are the way they are so everything finally takes its place into our minds.
Don’t let the affiliation with the Gentoo project let you think that these books are only about Gentoo. These books takes into account the various implementation of SELinux, and in particular the first volume, *SELinux System Administration, takes time to compare the notable differences which can be found between the Red Hat and Gentoo implementation and the reasons behind them.
Having bought this book some time ago, I have only read the first edition which counted 120 pages. While writing this article I see that Sven published a second edition which is now 285 pages (!).
Checking the new table of content, this massive update adds whole new chapters on Docker and virtualization, on D-Bus and systemd, and also see to borrow some content from SELinux Cookbook.
This is the first book of the set and goes from introducing SELinux to the reader to making him able to administrate SELinux features.
From the start of the book, the reader is taken very gently in this domain which, due to the lack of proper documentation, is often reputed as highly complex and daunting.
Sven however manages to explain things clearly, progressing step-by-step. At the beginning, the reader is not expected to know anything about SELinux and is provided a general overview on how and why SELinux works. At the end of the journey, the reader is capable of using SELInux in a sensible manner to improve the daily activity security and troubleshoot potential issues.
While the 120 pages of the edition I read may seem short, Sven writing is really up-to-the point and dense while still remaining clear and easy-to-follow, with a countless number of practical examples to keep the link with real-world situations.
I’m always impressed by people managing to keep things short and concise while still remaining clear and complete. Sven manages to do it, thanks to his experience in documentation writing and probably thanks to the help of the numerous other people who participated to this project: this book is indeed not the result of a lone-person work but a dozen of other names are mentioned in the introduction. There is no secret to achieve high-quality books such as this one.
So as a conclusion, if you would like to start on SELinux or complete your knowledge on this technology, you can blindly go for this book. There are other older books on the subject, but SELinux is a very moving thing and most if not all their content is most likely outdated now. I don’t know any other recent book on this topic and don’t see the need for one yet (especially since the latest update which keeps its content fresh), since this one has all you would need to start and administrate a SELinux.
SELinux has always been known to rely on complex sets of rules. One the things that the first book explains is that writing and maintaining those core rules is the duty of the upstream distribution and SELinux project teams.
Expecting a lone administration to write a complete set of SELinux from scratch is not only a complex and daunting task, it is insane. Under normal circumstances, SELinux administration goes through two main tasks which do not require to touch the rules at all:
- Ensuring that all objects (such as files, network ports, etc.) are correctly labeled.
- Setting a set of boolean values where SELinux behavior must be changed from the default.
However, it may happen a time where those basic tasks are not enough to properly match the specific needs of a complex or unusual environment. In such cases you need to go a step further from SELinux administration and enter the SELinux development realm.
This is what this book is about. It starts by detailing how to build a proper SELinux development environment, including links to some useful scripts developed by the author himself to help with common tasks.
Then, for a wide range of domains, the author analyzes several cases where he describes a concrete initial situation, the exact steps to solve it and the background explanation of the solving process allowing it to better adapt it to your own needs and requirements.
This is a cookbook book and it addresses advanced topics in SELinux, so its reading from cover to cover may be less the “comfortable trip” that Sven offered us in the first volume. However, the content of the book remains organized in a logical manner, and personally I really enjoyed reading it as Sven remains still as efficient in explaining complex things in a simple yet accurate way. I think it is even preferable to read the full book at least once to get a beter idea of the various feature you can leverage in SELinux, before using it as an actual cookbook.
People not already familiar with SELinux should not directly start with this book but should use Sven’s SELinux System Administration as an introduction. Having read and practiced a bit its content however is enough to fully follow the SELinux Cookbook.
The SELinux Cookbook is suitable both for people having to use SELinux in an advanced way, and people simply wanting to know more about SELinux without having any direct need to apply its solutions.