Yes, SELinux is a published objective for both the RHCSA and RHCE exams. It's also an excellent subject to master as a Linux administrator.

With the help of the US National Security Agency (NSA), SELinux enhances RHEL 6's reputation as a secure operating system. While you can do a lot more with SELinux, the following objectives are cited for the RHCSA: (edited I think at unSpawn's request). I've added my comments on these objectives in italics. But due to the nature of these topics, I can't give a complete answer w/r/t these objectives without citing long passages from my book.

************************
-Set enforcing and permissive modes for SELinux

While that's easy enough to do with commands like setenforce, it can be configured on a permanent basis in the /etc/sysconfig/selinux file.
************************

**************************
-List and identify SELinux file and process context

Run the ls -Z command on your systems (that's a capital -Z). If SELinux is enabled, you'll see output such as

drwxr-xr-x. root root system_u: object_r :httpd_sys_content_t:s0 html

The file context for the html/ directory shown is that of a system user (system_u), associated with content for HTTP servers (httpd_sys_content_t).

In contrast, to find the SELinux context of a process, run a variation of the ps -Z command. When I run the ps -Zaxl command, isolated on the vsftpd service, I get the following output:

unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 5 0 6597 1 20 0 51976 704 inet_c Ss ? 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

which shows how the vsFTP daemon is connected to the vsftpd.conf configuration file with the ftpd_t domain.
************************

************************
-Restore default file contexts

This process is trickier. While the restorecon command is straightforward, it changes contexts based on the configuration shown in various files of the /etc/selinux/targeted/contexts/files directory.

************************

************************
-Use boolean settings to modify system SELinux settings

The booleans are shown in the /selinux/booleans directory; as shown in Chapter 4

"These settings can be read with the getsebool and modified with the setsebool commands. For example, the following output from the getsebool allow_user_exec_content command confirms that SELinux allows users to execute scripts in either their home directories or from the /tmp directory:

allow_user_exec_content --> on"

Of course, that boolean can be disabled, but as I state later in the chapter, "the -P is required to make the change to the boolean setting survive a system reboot".
****************************

****************************
-Diagnose and address routine SELinux policy violations

One place to start is with the audit.log file in the /var/log/audit directory. It includes information on each SELinux violation. An excellent way to search through this log is with the following command:

sealert -a /var/log/audit/audit.log
***************************

For the RHCE, you'll want to know how to

-Configure SELinux to support

every service listed in the RHCE objectives.

While I'd love to detail that process here, that would require an explanation of many of the nearly 180 booleans shown in the /selinux/booleans directory. One example is the ftp_home_dir boolean, which must be active if you want to configure vsFTP to allow access to user home directories.

Since SELinux is integral to the Red Hat distribution, I describe how you can meet these objectives in detail in many (most?) chapters of my RHCSA/RHCE Red Hat Linux Certification Study Guide (Exams EX200 & EX300), 6th Edition. Of course, there are sections in Chapters 4 and 11 that are dedicated to the process. If you can master the SELinux tasks described in the objectives, you can keep systems in the real-world more secure.

In addition, there are certain things you need to do to make sure that SELinux configuration changes survive a "relabel". Otherwise, the changes you make could disappear if someone disables and then re-enables SELinux on the system.

As I await one of my fellow moderators to deal with your post I would like to say that while endorsement by one moderator and agreement to post information about your book once is nice I do not think this constitutes an agreement to advertise your book repeatedly, without prior agreement with this sites owner and without posting anything tangible.

1 members found this post helpful.

I did get the agreement of one moderator, and had just followed up yesterday to make sure that my additional posts were within the rules of this board.

If an appropriate authority on this board rules otherwise, I shall respect that decision.

Don't get me wrong, I'd rather see things turn the other way, namely you actually posting something that's worth reading like excerpts from the book. I mean even O'Reilly does that...

1 members found this post helpful.

Dear unSpawn,

I've partially edited my opening post to address what I think you're asking for. If you're OK with that, or have different input, let me know. I'll then finish off the changes to add more substance to each objective listed in the post.

Thanks,
Mike