Familiar with SELinux and SELinux Functions
Now, playing with the SELinux system has some value. For example, we use a strictly qualified ora Core 4 release. Most of these examples can basically run on Red hat Enterprise Linux version 4 or Fedora Core 5. Although it may be a little different, you may be able to run it using another release. "Getting SELinux example policy" describes how to obtain the policy files and other resources used throughout this book as an example, and describes how to configure your system accordingly.
Run in Permission mode:
SELinux is able to run in permission mode where access check occurs, but not allow access, it simply checks them. This mode is very useful when you first learn SELinux, and you may want to explore the system in this mode. Of course, if you want to improve the security of SELinux access, the permission mode should not be used in the operating system. Note that some tools can be found in/usr/sbin, which are usually not stored in common user paths.
The simplest way to query the current mode of SELinux is to run the getenforce command. If you want to set the system security mode to permission mode, run the setenforce 0 command. (You must log on to the system as the root user and identify the domain as sysadm_t to change the system to the permission mode ). To enforcing mode, run setenforce 1. (Because you are in permission mode, You need to log on as a root to change the system mode to enforcing mode .)
We have mentioned the-Z option added to the system command. Commands such as ls and ps display the security context of files and processes. As an exercise, run the command ps-Z and ls-Z to check various security contexts for running processes and executable files.
Review password routine
Throughout this section, we use the shadow password file and password program example. If you detect the security context of these two files, their types should be shadow_t and passwd_exec_t. As discussed earlier, passwd_exec_t is the passwd_t domain.
Entrypoint type. To see how domain conversion works, run the following command. You need two terminal windows or virtual consoles to run these commands.
In the first window, run the passwd command
This command starts the password program and prompts the user to enter the password. Do not enter the password, but switch to the second terminal. On the second terminal, run the su command to switch to the root user, and then run the ps command:
As you can see, the type of the running password program is passwd_t, as described in the example above.
Reuse Policy files
In the FC4 system, binary files containing kernel policies are placed in the famous directory/etc/selinux. The configuration file (config) in that directory specifies the policy to be used and loaded at startup. You can also configure the system to start with the permission in this file. As our contact, we use the strict policy of FC4, which should be in this place:
/Etc/selinux/strict/policy. [ver]
The policy version maps to the version of The SELinux policy Compiler (checkpolicy. In our example, the version is 19. Configuring a SELinux system from the policy source and creating a kernel policy file will be discussed in the third part in detail. Now, we want to check what is in the policy file.
A useful tool for viewing the content of a policy file is the policy analysis tool apol, which was created by Tresys Technology and released in The SELinux toolkit, known as SeTools. SeTools packages are included in most SELinux releases. Run the apol command to check whether the tool exists in your system. If it does not exist, Appendix D provides information on how to obtain the SeTools package.
Apol is an exquisite SELinux policy analysis tool. Throughout this book, we will use this tool to analyze SELinux policy files. For now, we want to use the basic functions of this tool to analyze the summary of the policy file. Run apol and open a strict policy file. In the menu Query-> Policy Summary, you can view the overview of Policy statistics.
Apol has a series of main tabs (Policy Components, Policy Rules, Analysis, and so on) that can help you query and analyze policies in multiple ways. It takes some time to explore Policy Components and Policy Rules, and be familiar with these two parts of the Policy and the apol tool. You will find it useful to use apol to analyze your policies and instances. In our "SELinux policy language" section.