4 See what's happening on your system

After install, you have to see what's happening(status of SELinux) on your system.

4.1 Where is policy?

Simplified policy(policy described by SPDL) is located at /etc/seedit/policy, it is explained in later section. Simplified Policy is converted into SELinux policy by seedit-load command(inside the command, seedit-converter runs, it does main task), and SELinux Policy(binary SELinux policy,file_contexts is generated). Generated SELinux policy is located at /etc/selinux/seedit/policy, generated file_contexts is at /etc/selinux/seedit/contexts/files. Usually, you do not have to care about generated policy.

4.2 Default policy

Installed simplified policy is a targeted one. Not strict policy. It does not include RBAC support. Only selected daemons are protected. Simplified policy can support RBAC and more strict policy, but such policies are under construction :-) .About RBAC, it is ready to use, if you are interested in it, see RBAC guide.

4.3 Check status of SELinux(GUI)

To check status of SELinux, select Status from control panel, then window namedseedit Status opens.

4.3.1 Check/Switch enforcing/permissive mode

From SELinux tab, you can check/change mode of SELinux. Figure 2 is screenshot.

Figure 2: Check/change SELinux mode

By seedit Installed? Yes, you can know seedit is successfully installed. From Current mode, you can see current mode is permissive mode. You can change current mode from this box, select Enforcing and press Apply button.
Mode at boot is mode at system boot, if it is Permissive, after reboot, system will run as permissive mode. It is strongly recommended to configure as Enforcing when you use real system.

4.3.2 See running process

Some processes are given domain and behavior is confined.

From process$\rightarrow$Working Process, you can see domain of running process. Fig 3 is example output.

Figure 3: Check domain of running processes

You can see such process as bash is unconfined, and httpd is confined by httpd_t domain.

You can also sort result by selecting PID, Process, Domain. And by Refresh button, result is updated.

4.3.3 See network process

You can see status of network process(that is waiting network connection) from process$\rightarrow$Network Process It is important to know status of network process. Because attackers use network process to intrude.

Fig 4 is example output.

Figure 4: Check domain of network processes

From above, You have to be especially careful to service whose domain is unconfined. If you create domain, you can confine it, or you may decide not to run the service.

4.4 seedit-unconfined(Command)

You can also do the same task from seedit-unconfined command.

4.4.1 See running process

You can see status of processes by seedit-unconfined -e. You have to be root to obtain correct result. Following is example output.

$ su -
# seedit-unconfined -e
Current SELinux mode: permissive ----(1)
PID     Comm    Domain
1       init    Unconfined(init_t) ---(2)
...
1853    sshd    Confined by sshd_t ---(3)

(1) is current SELinux mode this says permissive mode. Note again that system is not actually protected by SELinux in permissive mode.(2) says process init is not unconfined, and given unconfined domain init_t. unconfined means: the given domain is allowed everything, and effectively not protected by SELinux. (3) says sshd is given sshd_t domain and sshd_t domain is configured to confine behavior of sshd.
You can also see domains by ps -eZ command, but it does not tell us what kind of domains are unconfined. /etc/selinux/seedit/policy/unconfined_domains will tell you what kind domains are unconfined.

4.4.2 See network process

You can see status of network process(that is waiting network connection), by seedit-unconfined -n. It is important to know status of network process. Because attackers use network process to intrude. Sample output is following.

#seedit-unconfined -n 
Current SELinux mode: permissive ----(1)
/usr/sbin/smbd  Unconfined(initrc_t) -- (2)
/usr/sbin/sendmail.sendmail     Confined by sendmail_t --(3)
...

It is like AppArmor's unconfined command. (1) is current SELinux mode. After network programs are shown. (2) says smbd is not confined. (3) says sendmail is confined by domain sendmail_t.

4.4.3 Switching enforcing/permissive mode

After install system is permissive mode. you can switch to enforcing mode by following commands.

# setenforce 1
# getenforce 
enforcing

If you want to be enforcing mode in boot time, you have to modify /etc/selinux/config like following. It is strongly recommended when you use real system.

SELinux=permissive
-->
SELINUX=enforcing