Understanding SELinux, Part 2

Controlling SELinux

The getenforce command gets the current mode of SELinux. It reports whether SELinux is Enforcing, ermissive, or Disabled.

On a system with SELinux disabled, it will display the following:

[root@station20 ~]# getenforce
Disabled

On a system with SELinux in Permissive Mode, it will display:

[root@vbg ~]# getenforce
Permissive

On a system with SELinux in Enforcing Mode, the following will be displayed:

[root@vbg ~]# getenforce
Enforcing

setenforce modifies the mode SELinux is running in. It is used to toggle between Permissive and Enforcing mode when SELinux is enabled.

To activate “Enforcing mode” on an SELinux-enabled system, run:

[root@vbg ~]# setenforce 1

To check the current status, use getenforce. To activate Permissive SELinux mode, execute:

[root@vbg ~]# setenforce 0

The sestatus command is used to get the status of a system running SELinux. Apart from mentioning the current mode of SELinux, it gives more information about the SELinux policy.

On a system with SElinux disabled, it will display:

[root@station20 ~]# sestatus
SELinux status:                 disabled

On a System with SELinux in Permissive Mode, it will display:

[root@vbg ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted

The first line informs us that SELinux is enabled in this system. The second line is of great significance. It displays the mount point of the SELinux pseudo file system. This file system is quite like the proc and sys file systems, and contains runtime information about your SELinux mode and various other things.

You can change run time parameters of the SELinux system by directly writing to the files in this pseudo file system. As an
example, just issue this command as the root user:

[root@vbg ~]# echo 1 > /selinux/enforce

You will see that the mode of SELinux has changed from Permissive to Enforcing.

To return back to Permissive Mode, you can run either of the commands:

[root@vbg ~]# echo 0 > /selinux/enforce

…or:

[root@vbg ~]# setenforce 0

The third line mentions the current SELinux mode, whereas the fourth line mentions the SELinux mode under which the
system booted. The fifth line mentions the version number of the policy (we will come to this later in this series) and finally, the sixth line mentions the Policy loaded from the configuration file (/etc/sysconfig/selinux) at boot time.

Understanding various types of policies

By definition, an SELinux policy is a collection of rules for SELinux Mandatory Access Controls. Each one of us can make a policy to suit our needs much like we define firewall rules through iptables. There can be no standard policy that can apply to all situations.

By default, there are two policies shipped along with Red Hat Enterprise Linux: Targeted and Strict.

The Targeted Policy is the first step in assisting system administrators to understand and implement SELinux. It only ‘targets’ certain network daemons such as the Apache Web server, FTP server, BIND DNS server and a few others, while leaving the vast majority of end-user applications largely untouched. It creates an ‘unconfined’ domain ‘confinement’
(interesting paradox, isn’t it?) and does not apply Access Control Restrictions to most applications in the unconfined domain.

This allows sysadmins to concentrate on the really vulnerable network applications and services while not interfering with their daily tasks.

Once the nuts and bolts of SELinux are clear to administrators, they should move forward towards implementing the SELinux Strict Policy.

The Strict Policy, on the other hand, is a true restrictive Access Control Policy. Before implementing this policy, make sure you understand SELinux concepts and policies well.

Pages: 1 2 3

4 Comments

  1. Nonefdf says:

    very badnkeep it simple stupidni dont care the adventures of your httpd servern

  2. Nonefdf says:

    very bad
    keep it simple stupid
    i dont care the adventures of your httpd server

  3. Linux says:

    Excellent tutorials – really love the way you have organized the content.

  4. Andrey says:

    Thanks for this tutorial..I have started to understand better

Trackbacks/Pingbacks

  1. Understanding SELinux, Part 8 | FOSTERing Linux - [...] is very similar to file /etc/selinux/targeted/contexts/files/file_contexts that we covered in the second article of this series. (You may wish …

Leave a Reply

Your email address will not be published. Required fields are marked *