When a subject (an application) attempts to access an object (a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where application and object permissions are cached. Permission is then granted or denied, with an avc: denied message detailed in "/var/log/messages" if permission is denied.

SELinux Configuration File

The primary cofiguration file of SELinux is "/etc/sysconfig/selinux", in which we can enable or disable SELinux. This file controls the state of SELinux on the system.

SELinux can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

This is useful for debugging and troubleshooting purposes. In permissive mode, more denials are logged because subjects can continue with actions that would otherwise be denied in enforcing mode.

disabled - No SELinux policy is loaded.


/usr/sbin/setenforce — This command modifies in real-time the mode in which SELinux runs.

setenforce 1 — SELinux runs in enforcing mode.
setenforce 0 — SELinux runs in permissive mode.

SELinux Types

SELinux type can take one of these two values:

targeted - Targeted processes are protected,

mls - Multi Level Security protection.

The following daemons are protected in the default targeted policy: "dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, and syslogd". The rest of the system runs in the unconfined_t domain.

Setting a Boolean value for a targeted daemon to 1 disables SELinux protection for the daemon.
Use the getsebool -a command to list all SELinux booleans.

              # setsebool -P dhcpd_disable_trans=0

The -P option makes the change permanent. Without this option, the boolean would be reset to 1 at reboot.

No comments:

Powered by Blogger.