At this point, playing the SELinux system has some value. For example, we use a release version of Fedora Core 4 with a strict policy. Most of these examples will basically run on Red Hat Enterprise Linux version 4 or Fedora Core 5. While it may be a little different, you may be able to run with other distributions. The "Get SELinux Example strategy" describes how to get the policy files and other resources used throughout our book as an example, and describes how you should configure your system accordingly.
Run in permission mode:
SELinux can run in permission mode where access checks occur, but not allow access, he simply checks them. This pattern is very useful when you first study SELinux, and you may want to explore the system in this mode. Of course, if you want to improve the security of SELinux access, the permission mode should not be used in the operating system. Note that some tools can be found in/usr/sbin, which are usually not stored in normal user paths.
The simplest way to query the current SELinux mode is to run the Getenforce command. If you want to set the security mode of the system to permission mode, Run command Setenforce 0. (You must log into the system as root, and the domain is identified as sysadm_t to change the system to permission mode). In order to be system back to enforcing mode, Run command Setenforce 1. (because you are in permission mode, you need to log in as root to change the system mode to enforcing mode.) )
We have mentioned the-Z option for adding to system commands. Commands such as LS and PS display the security context for files and processes. As an exercise, run commands ps-z and ls-z to examine a wide variety of security contexts for running processes and executables.
Re-examine password routines
Throughout this chapter, we have used examples of shadow password files and password programs. If you detect the security context of these two files, their type should be shadow_t and passwd_exec_t, respectively. As discussed earlier, passwd_exec_t is the passwd_t domain
Type of entrypoint. To witness how domain conversions work, we run the following commands. You need two terminal windows or a virtual Console to run these commands.
In the first window, run the passwd command
This command starts the password program and prompts the user to enter a password. Instead of entering a password, switch to the second terminal. In the second terminal, use the SU command to switch to the root user and then run the PS command:
As you can see, the type of cryptographic program that runs is passwd_t, as described in the previous section example.
Re-use Policy file
In the FC4 system, binary files containing kernel policies are placed in the well-known directory/etc/selinux/. The configuration file (config) in that directory indicates the policy to be used and loaded at startup. You can also configure the system in this file to start with permission permissions. As our link, we use FC4 's rigorous strategy that he should be in this place:
/etc/selinux/strict/policy/policy. [Ver]
The version of the policy maps the version of the SELinux policy compiler (CheckPolicy). In our case, the version is 19. Configuring a SELinux system from the policy source and creating a kernel policy file will be discussed in detail in the third section. Now, we want to see what's in the policy file.
A useful tool for viewing the contents of a policy file is the Policy Analysis tool Apol, which was created by Tresys Technology and released in the SELinux Toolkit, known as Setools. The Setools package is included in most of the selinux distributions. Run the command Apol to detect the presence of the tool in your system. If it does not exist, we appendix D provides information on how to obtain the Setools package.
The Apol tool is a sophisticated SELinux policy analysis tool that we will use to analyze SELinux policy files throughout the entire book. For now, we want to use the basic functionality of this tool to analyze the summary of the policy file. Run Apol and open a strict policy file. In the menu Query->policy summary, you can view an overview of the policy statistics.
Apol has a series of main tabs (policy Components,policy rules,analysis, etc.) that can help you query and analyze policies in many ways. Take some time to explore policy components and policies Rules, and familiarize yourself with these two parts of the strategy and the Apol tools. You will find it useful to use APOL to analyze your strategies and instances in the "SELinux Policy Language" section later in this chapter.
SELinux functionality is familiar