NB PandE

From SELinux Wiki
Revision as of 20:48, 13 September 2010 by Jaxelson (Talk | contribs)

Jump to: navigation, search

SELinux Permissive and Enforcing Modes

SELinux has three major modes of operation:

Enforcing - SELinux is enforcing the loaded policy.
Permissive - SELinux has loaded the policy, however it is not enforcing the policy. This is generally used for testing as the audit log will contain the AVC denied messages as defined in the Audit Logs section. The SELinux utilities such as audit2allow(1) and audit2why(8) can then be used to determine the cause and possible resolution by generating the appropriate allow rules.
Disabled - The SELinux infrastructure (in the kernel) is not loaded.

These flags are set in the /etc/selinux/config file as described in the Global Configuration Files section.

There is another method for running specific domains in permissive mode using the permissive statement. This can be used directly in a user written loadable module or semanage(8) will generate the appropriate module and load it using the following example command:

# This example will add a new module in 
# /etc/selinux/<policy_name> # /modules/active/modules/permissive_unconfined_t.pp
# and then reload the policy: 

semanage permissive -a unconfined_t

The sestatus(8) command will show the current policy mode in its output as follows:

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: modular-test