SELinux/AppArmor, Are there any guides or tutorials?

I would like to study SELinux and AppArmor, and become proficient in using them.
Are there any guides, tutorials or books for noobies?

guides, tutorials:
Getting Started with SE Linux
A step-by-step guide to building a new SELinux policy module

AppArmor Admin Guide
AppArmor - Ubuntu

books:
SELinux ISBN: 978-0596007164

Thanks!

Some of the resources are pretty old and outdated I gather (eg the book) though.

IMO the best publicly available starting point for SE-Linux is the RHEL 6 SELinux Guide

Also interesting and informative are the articles in Dan Walsh's Blog

Although at work right now, I have some off the top of my head that I can pull up here. I am having issues with Internet Exploder here being so old and crippled that some pages heavy on ajax aren't working right. But these should get you going.

If you are completely new to SELinux, read thru all of these top few first. Get the jist of what the hell SELinux really is, how it works, and what and why things are done. The main wiki has some really good breakdowns that are generic to any distro (been a while since I went thru em all), but will get you to understanding alot of things. Then move on to the Fedora/Red Hat ones to start tailoring what you need to what the RH folk and Fedora teams pre-setup for you.

IMNSHO, killing off SELinux because of a weird error is a flat out stupid maneuver if you have a system that you want secure in the slightest. The way the policies work, is not too different in end user implementation than a firewall is. And in some ways this is a firewall for applications, rather than packets. If a program is getting pissey, fix it. Its not hard (well, except for wine, but thats another ball of wax ...). But for some reason I see alot of people say to disable it. Don't. Just fix the problems that the troubleshooter warns you of.

Have fun!

And the links:
http://www.nsa.gov/research/selinux/
http://selinuxproject.org/page/Main_Page


http://docs.fedoraproject.org/en-US/Fedora/14/html/Security_Guide/index.html
http://wiki.centos.org/HowTos/SELinux
https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_Linux/
which points to
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96/html-single/Security-Enhanced_Linux/index.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96/html-single/Security_Guide/index.html

Good links, lot's of reading hours

Am I right in saying that we already have some protection out of the box ? Those files in /
are all not unconfined meaning of course that they are confined.
$ ls -Z firefox
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 firefox
$

Thanks schotty!

Regarding Firefox: no. The command above just says that firefox has the default label (security context) of a binary file. The standard SELinux policy of SL or Fedora has no specific rules for Firefox or other desktop applications.
Protected out of the box are mainly services (to prevent that a successful exploit gets root access).

However, SL 6 has SELinux based sandbox. The command

would start Firefox in an isolated sandbox and in its own nested X server.
Try out URL file:///home/MyUserId in sandbox'd Firefox
Package that provides sandbox is: policycoreutils-sandbox

would start Firefox in an isolated sandbox and in its own nested X server.
Try out URL file:///home/MyUserId in sandbox'd Firefox
Package that provides sandbox is: policycoreutils-sandbox

That is a great tip!
Thanks joka

would start Firefox in an isolated sandbox and in its own nested X server.
Try out URL file:///home/MyUserId in sandbox'd Firefox
Package that provides sandbox is: policycoreutils-sandbox

That is a great tip!
Thanks joka

That is sweet!

Regarding Firefox: no. ......
Protected out of the box are mainly services (to prevent that a successful exploit gets root access).
However, SL 6 has SELinux based sandbox. The command

would start Firefox in an isolated sandbox and in its own nested X server.

Thank you for that info joka !

So, that is what the sandbox packages I saw when I was "shopping" were all about.

QUOTE (joka @ May 3 2011, 02:47 PM)

QUOTE (U308 @ May 3 2011, 03:27 PM) Am I right in saying that we already have some protection out of the box ? Those files in / are all not unconfined meaning of course that they are confined. $ ls -Z firefox -rwxr-xr-x. root root system_u:object_r:bin_t:s0       firefox Regarding Firefox: no. The command above just says that firefox has the default label (security context) of a binary file. The standard SELinux policy of SL or Fedora has no specific rules for Firefox or other desktop applications. Protected out of the box are mainly services (to prevent that a successful exploit gets root access). However, SL 6 has SELinux based sandbox. The command CODE sandbox -X -t sandbox_web_t firefox http://scientificlinuxforum.org would start Firefox in an isolated sandbox and in its own nested X server. Try out URL file:///home/MyUserId in sandbox'd Firefox Package that provides sandbox is: policycoreutils-sandbox

Is there a way to pass a directory (say Downloads) where the sandboxed program can download and upload programs to?

And to use

CODE

sandbox -X -t sandbox_web_t firefox http://scientificlinuxforum.org

do I need to set up SElinux first, or can I just run as is (after package installation of selinux and policycoreutils-sandbox?