next up previous contents
Next: 3 Overview of GUI Up: SELinux Policy Editor(seedit) Administration Previous: 1 What is SELinux   Contents

2 Background of SELinux

You have to be familiar with some SELinux background, especially following.
  1. TE(Type-Enforcement)
    Access control model of SELinux is called TE. In TE, process is given domain. SELinux decides access control based on configuration file called policy. In policy , What kind of resource a domain is allowed to access ? is described. To identify resources, SELinux uses label called type, but you do not have to be worry about type, because it is hidden in seedit world. By giving proper domain to application and configuring domain properly, the application have least privilege.

  2. Enforcing/permissive mode
    SELinux have two mode, enforcing and permissive mode. Enforcing mode is normal mode. Access control is effective.
    Permissive mode is a test mode. Even if there is a access that is denied by SELinux, it is not actually denied, but only written to log. In permissive mode, SELinux is effectively disabled, but useful to test the behavior of access control. To see current mode, you can use getenforce command. To switch between enforcing/permissive mode, you can use setenforce command. The usage will appear later in the document.
  3. SELinux access denial log
    Access denial is outputted in /var/log/messages in Fedora Core5. In Fedora Core4 or using auditd service, it is outputted to /var/log/audit/audit.log.


next up previous contents
Next: 3 Overview of GUI Up: SELinux Policy Editor(seedit) Administration Previous: 1 What is SELinux   Contents
2006-07-05