Kernel Korner - NSA Security Enhanced Linux
SE Linux can be run in one of two modes, permissive or enforcing. Permissive mode is used for debugging purposes as everything gets logged, but SE Linux is not actually enforcing your policies. You still can do things as root that you could do on a regular Linux system. It is best to run your machine in permissive mode until you are satisfied that all your policies are correct. Labels are assigned to objects on the system, but nothing is enforced.
Enforcing mode applies the policies you have configured, such as access restrictions. You should boot in to enforcing mode only when you are convinced that everything is working properly, after running in permissive mode for a while. Remember, if your kernel is compiled with no development support, you cannot specify permissive mode. If your kernel is compiled with development mode support turned on, it means that your machine boots into permissive mode, but you have to switch it to enforcing mode manually. This can be done easily by creating a startup script.
Alternatively, you can make a link between /etc/rc.boot/avc and /sbin/avc_toggle. Another option is to specify enforcing=1 on the kernel command line. The avc_toggle command can be used to switch between permissive and enforcing mode, and the avc_enforcing command can be used to determine whether you are in enforcing mode.
Hopefully this article has you interested in trying out SE Linux. I have omitted installation instructions deliberately, as you can install with RPMs, source tarballs or Debian packages. Including even the basics of each here would fill an entire article. There's quite a lot to learn before, during and after installation, and new users often find themselves rather confused. If you read the documents referred to in the Resources section before you do anything else and become familiar with frequently used terms, you should find it a little easier. If you get stuck, fire up your favorite IRC client and go over to channel #selinux on irc.debian.org, or subscribe to the SE Linux mailing list.
Flask (Flux Advanced Security Kernel): www.cs.utah.edu/flux/flask
Getting Started with SE Linux HOWTO: sourceforge.net/docman/display_doc.php?docid=15285&group_id=21266
NSA Official SE Linux Site: www.nsa.gov/selinux
NSA SE Linux FAQ: www.nsa.gov/selinux/faq.html
NSA SE Linux White Papers: www.nsa.gov/selinux/docs.html
SE Linux Mailing List: www.nsa.gov/selinux/list.html
SE Linux Mailing List Archives: marc.theaimsgroup.com/?l=selinux
SourceForge SE Linux Project Page: sourceforge.net/projects/selinux
Faye Coker currently works as a freelance systems administrator and often finds herself running the systems at ISPs and converting servers to Linux. She has worked in Europe and Australia. She also has been asked “are you lost?” far too many times at Linux conferences.
|PostgreSQL, the NoSQL Database||Jan 29, 2015|
|HPC Cluster Grant Accepting Applications!||Jan 28, 2015|
|Sharing Admin Privileges for Many Hosts Securely||Jan 28, 2015|
|Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform||Jan 23, 2015|
|Designing with Linux||Jan 22, 2015|
|Wondershaper—QOS in a Pinch||Jan 21, 2015|
- PostgreSQL, the NoSQL Database
- Sharing Admin Privileges for Many Hosts Securely
- HPC Cluster Grant Accepting Applications!
- Designing with Linux
- Wondershaper—QOS in a Pinch
- January 2015 Issue of Linux Journal: Security
- Internet of Things Blows Away CES, and it May Be Hunting for YOU Next
- Ideal Backups with zbackup
- Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform
- Slow System? iotop Is Your Friend