Kernel Korner - NSA Security Enhanced Linux
SE Linux can be run in one of two modes, permissive or enforcing. Permissive mode is used for debugging purposes as everything gets logged, but SE Linux is not actually enforcing your policies. You still can do things as root that you could do on a regular Linux system. It is best to run your machine in permissive mode until you are satisfied that all your policies are correct. Labels are assigned to objects on the system, but nothing is enforced.
Enforcing mode applies the policies you have configured, such as access restrictions. You should boot in to enforcing mode only when you are convinced that everything is working properly, after running in permissive mode for a while. Remember, if your kernel is compiled with no development support, you cannot specify permissive mode. If your kernel is compiled with development mode support turned on, it means that your machine boots into permissive mode, but you have to switch it to enforcing mode manually. This can be done easily by creating a startup script.
Alternatively, you can make a link between /etc/rc.boot/avc and /sbin/avc_toggle. Another option is to specify enforcing=1 on the kernel command line. The avc_toggle command can be used to switch between permissive and enforcing mode, and the avc_enforcing command can be used to determine whether you are in enforcing mode.
Hopefully this article has you interested in trying out SE Linux. I have omitted installation instructions deliberately, as you can install with RPMs, source tarballs or Debian packages. Including even the basics of each here would fill an entire article. There's quite a lot to learn before, during and after installation, and new users often find themselves rather confused. If you read the documents referred to in the Resources section before you do anything else and become familiar with frequently used terms, you should find it a little easier. If you get stuck, fire up your favorite IRC client and go over to channel #selinux on irc.debian.org, or subscribe to the SE Linux mailing list.
Flask (Flux Advanced Security Kernel): www.cs.utah.edu/flux/flask
Getting Started with SE Linux HOWTO: sourceforge.net/docman/display_doc.php?docid=15285&group_id=21266
NSA Official SE Linux Site: www.nsa.gov/selinux
NSA SE Linux FAQ: www.nsa.gov/selinux/faq.html
NSA SE Linux White Papers: www.nsa.gov/selinux/docs.html
SE Linux Mailing List: www.nsa.gov/selinux/list.html
SE Linux Mailing List Archives: marc.theaimsgroup.com/?l=selinux
SourceForge SE Linux Project Page: sourceforge.net/projects/selinux
Faye Coker currently works as a freelance systems administrator and often finds herself running the systems at ISPs and converting servers to Linux. She has worked in Europe and Australia. She also has been asked “are you lost?” far too many times at Linux conferences.
- Readers' Choice Awards 2013
- Mars Needs Women
- RSS Feeds
- Sublime Text: One Editor to Rule Them All?
- December 2013 Issue of Linux Journal: Readers' Choice
- Raspberry Pi: the Perfect Home Server
- IBM Will Minimize Impact of Future Disasters
- Linux Systems Administrator
- Senior Perl Developer
- Tech Tip: Really Simple HTTP Server with Python
- So girls had it better ?
2 hours 7 min ago
- Reply to comment | Linux Journal
2 hours 27 min ago
- why is GNOME 3 in the fifth position at 14.1 %?
8 hours 11 sec ago
- Sublime Is Brilliant!
13 hours 3 min ago
13 hours 22 min ago
- Rapid[Disk,Cache] better than native ram caching?
13 hours 47 min ago
- Nothing is perfect
14 hours 39 sec ago
- Mixtapes Community
19 hours 39 min ago
- KDE is one true DE
20 hours 14 min ago
- Command Line Shells (Bash, Zsh, etc.) are 2nd place
20 hours 42 min ago