Difference between revisions of "NB PandE"

From SELinux Wiki
Jump to: navigation, search
(New page: = SELinux Permissive and Enforcing Modes = SELinux has three major modes of operation: : '''Enforcing''' - SELinux is enforcing the loaded policy. : '''Permissive''' - SELinux has loade...)
 
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
 
= SELinux Permissive and Enforcing Modes =
 
= SELinux Permissive and Enforcing Modes =
 
SELinux has three major modes of operation:
 
SELinux has three major modes of operation:
 
 
: '''Enforcing''' - SELinux is enforcing the loaded policy.  
 
: '''Enforcing''' - SELinux is enforcing the loaded policy.  
 
+
: '''Permissive''' - SELinux has loaded the policy, however it is not enforcing the policy rules. This is generally used for testing as the audit log will contain the AVC denied messages as defined in the [[NB_AL | Auditing SELinux Events]] section. The SELinux utilities such as '''audit2allow'''(1) and '''audit2why'''(8) can then be used to determine the cause and possible resolution by generating the appropriate allow rules.
: '''Permissive''' - SELinux has loaded the policy, however it is not enforcing the policy. This is generally used for testing as the audit log will contain the AVC denied messages as defined in the [[NB_AL | Audit Logs]] section. The SELinux utilities such as <tt>audit2allow(1)</tt> and <tt>audit2why(8)</tt> can then be used to determine the cause and possible resolution by generating the appropriate allow rules.
+
: '''Disabled''' - The SELinux infrastructure is not enabled, therefore no policy can be loaded.
 
+
: '''Disabled''' - The SELinux infrastructure (in the kernel) is not loaded.
+
  
 
These flags are set in the <tt>/etc/selinux/config</tt> file as described in the [[GlobalConfigurationFiles | Global Configuration Files]] section.
 
These flags are set in the <tt>/etc/selinux/config</tt> file as described in the [[GlobalConfigurationFiles | Global Configuration Files]] section.
  
There is another method for running specific domains in permissive mode using the <tt>permissive</tt> statement. This can be used directly in a user written loadable module or <tt>semanage(8)</tt> will generate the appropriate module and load it using the following example command:
+
There is another method for running specific domains in permissive mode using the permissive statement. This can be used directly in a user written module or '''semanage'''(8) will generate the appropriate module and load it using the following example command:
 
<pre>
 
<pre>
# This example will add a new module in  
+
# This example will add a new module in
# /etc/selinux/<policy_name> # /modules/active/modules/permissive_unconfined_t.pp
+
# /etc/selinux/<SELINUXTYPE>/modules/active/modules/permissive_unconfined_t.pp
# and then reload the policy:  
+
# and then reload the policy:
  
 
semanage permissive -a unconfined_t
 
semanage permissive -a unconfined_t
 
</pre>
 
</pre>
  
The <tt>sestatus(8)</tt> command will show the current policy mode in its output as follows:
+
It is also possible to set permissive mode on a userspace object manager using the <tt>libselinux</tt> function <tt>'''avc_open'''(3)</tt>, for example the [[NB_XWIN | X-Windows object manager]] uses <tt>'''avc_open'''</tt> to set whether it will always run permissive, enforcing or follow the current SELinux enforcement mode.
<pre>
+
SELinux status: enabled
+
SELinuxfs mount: /selinux
+
Current mode: permissive
+
Mode from config file: enforcing
+
Policy version: 24
+
Policy from config file: modular-test
+
</pre>
+
  
 +
The '''sestatus'''(8) command will show the current SELinux enforcement mode in its output, however it does not display individual domain or object manager enforcement modes.
  
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[NB_PolicyType | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[NB_AL | '''Next''']]</center>
 +
|}
  
  
 
----
 
----
 
<references/>
 
<references/>
 +
 +
[[Category:Notebook]]

Latest revision as of 14:15, 6 December 2014

SELinux Permissive and Enforcing Modes

SELinux has three major modes of operation:

Enforcing - SELinux is enforcing the loaded policy.
Permissive - SELinux has loaded the policy, however it is not enforcing the policy rules. This is generally used for testing as the audit log will contain the AVC denied messages as defined in the Auditing SELinux Events section. The SELinux utilities such as audit2allow(1) and audit2why(8) can then be used to determine the cause and possible resolution by generating the appropriate allow rules.
Disabled - The SELinux infrastructure is not enabled, therefore no policy can be loaded.

These flags are set in the /etc/selinux/config file as described in the Global Configuration Files section.

There is another method for running specific domains in permissive mode using the permissive statement. This can be used directly in a user written module or semanage(8) will generate the appropriate module and load it using the following example command:

# This example will add a new module in
# /etc/selinux/<SELINUXTYPE>/modules/active/modules/permissive_unconfined_t.pp
# and then reload the policy:

semanage permissive -a unconfined_t

It is also possible to set permissive mode on a userspace object manager using the libselinux function avc_open(3), for example the X-Windows object manager uses avc_open to set whether it will always run permissive, enforcing or follow the current SELinux enforcement mode.

The sestatus(8) command will show the current SELinux enforcement mode in its output, however it does not display individual domain or object manager enforcement modes.


Previous
Home
Next