Kernel Korner - NSA Security Enhanced Linux
SE Linux can be run in one of two modes, permissive or enforcing. Permissive mode is used for debugging purposes as everything gets logged, but SE Linux is not actually enforcing your policies. You still can do things as root that you could do on a regular Linux system. It is best to run your machine in permissive mode until you are satisfied that all your policies are correct. Labels are assigned to objects on the system, but nothing is enforced.
Enforcing mode applies the policies you have configured, such as access restrictions. You should boot in to enforcing mode only when you are convinced that everything is working properly, after running in permissive mode for a while. Remember, if your kernel is compiled with no development support, you cannot specify permissive mode. If your kernel is compiled with development mode support turned on, it means that your machine boots into permissive mode, but you have to switch it to enforcing mode manually. This can be done easily by creating a startup script.
Alternatively, you can make a link between /etc/rc.boot/avc and /sbin/avc_toggle. Another option is to specify enforcing=1 on the kernel command line. The avc_toggle command can be used to switch between permissive and enforcing mode, and the avc_enforcing command can be used to determine whether you are in enforcing mode.
Hopefully this article has you interested in trying out SE Linux. I have omitted installation instructions deliberately, as you can install with RPMs, source tarballs or Debian packages. Including even the basics of each here would fill an entire article. There's quite a lot to learn before, during and after installation, and new users often find themselves rather confused. If you read the documents referred to in the Resources section before you do anything else and become familiar with frequently used terms, you should find it a little easier. If you get stuck, fire up your favorite IRC client and go over to channel #selinux on irc.debian.org, or subscribe to the SE Linux mailing list.
Flask (Flux Advanced Security Kernel): www.cs.utah.edu/flux/flask
Getting Started with SE Linux HOWTO: sourceforge.net/docman/display_doc.php?docid=15285&group_id=21266
NSA Official SE Linux Site: www.nsa.gov/selinux
NSA SE Linux FAQ: www.nsa.gov/selinux/faq.html
NSA SE Linux White Papers: www.nsa.gov/selinux/docs.html
SE Linux Mailing List: www.nsa.gov/selinux/list.html
SE Linux Mailing List Archives: marc.theaimsgroup.com/?l=selinux
SourceForge SE Linux Project Page: sourceforge.net/projects/selinux
Faye Coker currently works as a freelance systems administrator and often finds herself running the systems at ISPs and converting servers to Linux. She has worked in Europe and Australia. She also has been asked “are you lost?” far too many times at Linux conferences.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Death of RoboVM
- BitTorrent Inc.'s Sync
- The Humble Hacker?
- The US Government and Open-Source Software
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- Canonical and BQ's Aquaris M10 Ubuntu Edition Tablet
- ACI Worldwide's UP Retail Payments