At this point we’ll assume your SELinux system has been installed and that you are ready to log in. This chapter lays out the first administrative tasks you need to do and some ongoing administrative tools you’ll want to know about as you continue to add software and users to your system.
As with any multiuser system, you have to create accounts for users and assign them the proper privileges. In SELinux these tasks are not much more complicated than in other systems, although you’ll have to learn some new commands to carry them out. And in the future, after SELinux has become widely adopted, the wrinkles have been ironed out, and thoroughly tested policy files are available, these typical sysadmin tasks may be all that’s involved for most people running SELinux.
But unfortunately, we are not yet at that stage of maturity. As explained in earlier chapters, each release of SELinux on each distribution has its own rough spots. These will be manifested in various hard-to-diagnose ways, including:
Users being unable to log in
Users logging in but having their X desktops or particular applications freeze
Applications failing (silently or with obnoxious complaints) because they cannot access files or other necessary resources
Thus, basic sysadmin tasks for SELinux include checking log files and tracing what has happened to users and applications. This chapter contains a substantial section to help you understand SELinux logging and make use of that information to change permissions on users and files.
Furthermore, SELinux has a built-in troubleshooting method known as permissive mode to help you figure out what changes to make. In permissive mode, SELinux does not actually stop anybody from doing anything. In other words, you do not actually have a secure SELinux system. (Traditional Unix security is still operational, though.) You should learn how to switch to and from permissive mode—on a non-production system in a safe environment, of course—in order to find out what changes you need to make in order to let users and applications run on your system.
When you make changes to your system, you may have to rebuild the policy files SELinux uses to control access or relabel files. Sometimes you can install software seamlessly, and SELinux automatically does the right thing. But in other cases, the policies or labels become out of sync with the system.
The topics in this chapter include:
Routine system administration (changing roles, adding users, and checking file contexts)
Monitoring SELinux through log files
Some administrative tasks go beyond the use of SELinux commands and require you to actually change SELinux policy files. These will be the subjects of several later chapters.
As mentioned, SELinux provides a special mode called permissive mode that’s useful for policy troubleshooting and system maintenance. SELinux’s other operating mode is called enforcing mode (sometimes called enforcement mode). Enforcing mode is the normal mode of SELinux operation. Under enforcing mode, operations that violate the SELinux security policy are prevented. Generally, when an operation is prevented, an entry is also written to the system log so that a system administrator can learn what operations have been prevented and why. Some operations may be prevented due to an incorrect or incomplete SELinux security policy, whereas others may be prevented due to an attempted system compromise. The system log provides administrators with data useful in determining the reason operations were prevented so that appropriate action can be taken. The section of this chapter titled “Monitoring SELinux” explains the format of the log entries made by SELinux.
Permissive mode is available only if your system’s kernel was compiled with the option NSA SELinux Development support. Generally, Linux vendors compile their standard kernels with this option. However, if you compiled your own kernel, you may have omitted the option, in which case permissive mode won’t be available.
If you’re especially concerned about the security of your system, you may prefer to compile a kernel without the NSA SELinux Development support option. Doing so ensures that the system always operates in enforcing mode. However if you do so, you may find it cumbersome to administer the system. For instance, you may install a new software package and find that the associated policy file isn’t quite accurate or complete, causing the application to operate imperfectly. Without the ability to enter permissive mode, it may be difficult to troubleshoot and correct the problems with the policy file.
Permissive mode is used when configuring, testing, and troubleshooting SELinux and the SELinux security policy. Under permissive mode, SELinux permits all operations, even those that violate the SELinux security policy. Nevertheless, SELinux writes log entries that would have been written had the system been in enforcing mode. Permissive mode enables a system administrator to observe the effects of experimental SELinux security policies without affecting the operation of the system. SELinux includes a special utility, Audit2allow, that can recommend SELinux policy changes based on log entries; the section of this chapter titled “Monitoring SELinux” explains this utility and how to use it to revise the SELinux security policy.
Because an SELinux system operating in permissive mode does not prevent operations that violate its security policy, you generally should not put an SELinux system that resides in a hostile environment into permissive mode. Before putting the system into permissive mode, you should relocate it to a protected network, shut down vulnerable services, restrict remote logins, or otherwise secure the system.