Advanced SELinux


Development & Administration of Mandatory Access Control Policy

Learn more


This training is dedicated to students who want to learn in detail how SELinux really works internally, how to manage the existing policy and how to create their own SELinux policy modules from scratch for unsecured local and network services.

Together with participants, we will go through attack vectors and malicious methods used by attackers directly in confrontation with SELinux. We focus a lot on detailed analysis of Linux security subsystems, hardening options, and confinement of local and network services in battle with modern exploitation techniques.


  • Discretionary Access Control vs Mandatory Access Control
  • Analysis and practical use of Linux exploits and vulnerabilities:
    • Invalid read, use-after-free, out-of-bound, stack and heap overflows, null pointer dereference, syscall hooking, and more.
  • SELinux Architecture and capabilities:
    • Flask Model
    • Mandatory Access Control
    • Rule Based Access Control
    • Multi Level Security
    • Multi Category Security
    • domains and types, security context, domain and type transition
  • Analysis of targeted SELinux policy:
    • Source code analysis of RHEL / CentOS and Tresys Reference Policy
    • Types and modes
    • Filesystem locations
  • SELinux module development and compilation:
    • Syntax of m4 language
    • Classes and objects
    • Interfaces and macros
    • Aliases, types, and attributes
    • Boolean variables definition
    • Compilation modes
  • Access Vector Cache.
  • Tools used to create and modify SELinux policy.
  • Creating SELinux users and roles.
  • Using SELinux for hardening Docker containers and cloud environments.
  • SELinux against exploits → real security use-cases.
  • SELinux tips and tricks.
  • Final project.

Time Duration

2 days (9:00am - 5:00pm)

Who should attend

  • Linux Engineers
  • System Architects
  • DevOps and DevSecOps team members
  • Security Engineers

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out “what da **ck” the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.


If interested in dedicated, closed training for your Linux Security team let us know. We love delivering on-site training sessions!