Next: 3 Overview of GUI
Up: SELinux Policy Editor(SEEdit) Administration
Previous: 1 What is SELinux
Contents
You have to be familiar with some SELinux background, especially
following.
- TE(Type-Enforcement)
Access control model of SELinux is called TE. In TE, process is
given domain. SELinux decides access control based on
configuration file called policy. In policy , What
kind of resource a domain is allowed to access ? is described.
To identify resources, SELinux uses label called type, but
you do not have to be worry about type, because it is hidden
in seedit world.
By giving proper domain to application and configuring domain
properly, the application have least privilege.
- Enforcing/permissive mode
SELinux have two mode, enforcing and permissive mode.
Enforcing mode is normal mode. Access control is
effective.
Permissive mode is a test mode. Even if there is a access that is
denied by SELinux, it is not actually denied, but only written to
log. In permissive mode, SELinux is effectively disabled, but
useful to test the behavior of access control.
To see current mode, you can use getenforce command. To
switch between enforcing/permissive mode, you can use setenforce command. The usage will appear later in the document.
- SELinux access denial log
Access denial is outputted in /var/log/messages in Fedora
Core5. In Fedora Core4 or using auditd service, it is outputted
to /var/log/audit/audit.log.
Next: 3 Overview of GUI
Up: SELinux Policy Editor(SEEdit) Administration
Previous: 1 What is SELinux
Contents
Yuichi Nakamura
2007-02-13