| At this point we'll assume your SELinux system has been installed and that you are ready to log in. This chapter lays out the first administrative tasks you need to do and some ongoing administrative tools you'll want to know about as you continue to add software and users to your system. As with any multiuser system, you have to create accounts for users and assign them the proper privileges. In SELinux these tasks are not much more complicated than in other systems, although you'll have to learn some new commands to carry them out. And in the future, after SELinux has become widely adopted, the wrinkles have been ironed out, and thoroughly tested policy files are available, these typical sysadmin tasks may be all that's involved for most people running SELinux. But unfortunately , we are not yet at that stage of maturity. As explained in earlier chapters, each release of SELinux on each distribution has its own rough spots. These will be manifested in various hard-to-diagnose ways, including: -
Users being unable to log in -
Users logging in but having their X desktops or particular applications freeze -
Applications failing (silently or with obnoxious complaints) because they cannot access files or other necessary resources Thus, basic sysadmin tasks for SELinux include checking log files and tracing what has happened to users and applications. This chapter contains a substantial section to help you understand SELinux logging and make use of that information to change permissions on users and files. Furthermore, SELinux has a built-in troubleshooting method known as permissive mode to help you figure out what changes to make. In permissive mode, SELinux does not actually stop anybody from doing anything. In other words, you do not actually have a secure SELinux system. (Traditional Unix security is still operational, though.) You should learn how to switch to and from permissive mode ”on a non-production system in a safe environment, of course ”in order to find out what changes you need to make in order to let users and applications run on your system. When you make changes to your system, you may have to rebuild the policy files SELinux uses to control access or relabel files. Sometimes you can install software seamlessly, and SELinux automatically does the right thing. But in other cases, the policies or labels become out of sync with the system. The topics in this chapter include: -
Permissive mode -
Rebuilding policies -
Labeling files -
Routine system administration (changing roles, adding users, and checking file contexts) -
Monitoring SELinux through log files -
Miscellaneous troubleshooting Some administrative tasks go beyond the use of SELinux commands and require you to actually change SELinux policy files. These will be the subjects of several later chapters. | 