Next: 5 Then, what should
Up: SELinux Policy Editor(seedit) Administration
Previous: 3 Overview of GUI
Contents
Subsections
After install, you have to see what's happening(status of SELinux) on your system.
Simplified policy(policy described by SPDL) is located at
/etc/seedit/policy, it is explained in later section.
Simplified Policy is converted into SELinux
policy by seedit-load command(inside the command, seedit-converter runs,
it does main task), and SELinux Policy(binary SELinux policy,file_contexts is generated).
Generated SELinux policy is located at
/etc/selinux/seedit/policy, generated file_contexts is at /etc/selinux/seedit/contexts/files.
Usually, you do not have to care about generated policy.
Installed simplified policy is a targeted one. Not strict policy.
It does not include RBAC support. Only selected daemons are protected.
Simplified policy can support RBAC and more strict policy, but such
policies are under construction :-) .About RBAC, it is ready to use, if
you are interested in it, see RBAC guide.
4.3 Check status of SELinux(GUI)
To check status of SELinux, select Status from control panel, then
window namedseedit Status opens.
4.3.1 Check/Switch enforcing/permissive mode
From SELinux tab, you can check/change mode of SELinux.
Figure 2 is screenshot.
Figure 2:
Check/change SELinux mode
|
By seedit Installed? Yes, you can know seedit is successfully
installed.
From Current mode, you can see current mode is permissive mode.
You can change current mode from this box, select Enforcing and
press Apply button.
Mode at boot is mode at system boot, if it is Permissive,
after reboot, system will run as permissive mode. It is strongly
recommended to configure as Enforcing when you use real system.
Some processes are given domain and behavior is confined.
From processWorking Process, you can see domain of running
process.
Fig 3 is example output.
Figure 3:
Check domain of running processes
|
You can see such process as bash is unconfined, and httpd is confined
by httpd_t domain.
You can also sort result by selecting PID, Process, Domain.
And by Refresh button, result is updated.
You can see status of network process(that is waiting network
connection) from processNetwork Process
It is important to know status of network process. Because attackers use
network process to intrude.
Fig 4 is example output.
Figure 4:
Check domain of network processes
|
From above, You have to be especially careful to service whose domain
is unconfined.
If you create domain, you can confine it, or you may decide not to run
the service.
You can also do the same task from seedit-unconfined command.
You can see status of processes by seedit-unconfined -e.
You have to be root to obtain correct result.
Following is example output.
$ su -
# seedit-unconfined -e
Current SELinux mode: permissive ----(1)
PID Comm Domain
1 init Unconfined(init_t) ---(2)
...
1853 sshd Confined by sshd_t ---(3)
(1) is current SELinux mode this says permissive mode. Note again that system
is not actually protected by SELinux in permissive mode.(2) says
process init is not unconfined, and given unconfined domain
init_t. unconfined means: the given domain is allowed
everything, and effectively not protected by SELinux. (3) says sshd
is given sshd_t domain and sshd_t domain is configured to confine
behavior of sshd.
You can also see domains by ps -eZ command, but it does not tell us what
kind of domains are
unconfined. /etc/selinux/seedit/policy/unconfined_domains will tell
you what kind domains are unconfined.
You can see status of network process(that is waiting network
connection), by seedit-unconfined -n.
It is important to know status of network process. Because attackers use
network process to intrude.
Sample output is following.
#seedit-unconfined -n
Current SELinux mode: permissive ----(1)
/usr/sbin/smbd Unconfined(initrc_t) -- (2)
/usr/sbin/sendmail.sendmail Confined by sendmail_t --(3)
...
It is like AppArmor's unconfined command.
(1) is current SELinux mode. After network programs are shown.
(2) says smbd is not confined. (3) says
sendmail is confined by domain sendmail_t.
4.4.3 Switching enforcing/permissive mode
After install system is permissive mode. you can switch to enforcing
mode by following commands.
# setenforce 1
# getenforce
enforcing
If you want to be enforcing mode in boot time, you have to modify
/etc/selinux/config like following. It is strongly recommended when you
use real system.
SELinux=permissive
-->
SELINUX=enforcing
Next: 5 Then, what should
Up: SELinux Policy Editor(seedit) Administration
Previous: 3 Overview of GUI
Contents
2006-07-05