| As mentioned, SELinux provides a special mode called permissive mode that's useful for policy troubleshooting and system maintenance. SELinux's other operating mode is called enforcing mode (sometimes called enforcement mode ). Enforcing mode is the normal mode of SELinux operation. Under enforcing mode, operations that violate the SELinux security policy are prevented. Generally , when an operation is prevented, an entry is also written to the system log so that a system administrator can learn what operations have been prevented and why. Some operations may be prevented due to an incorrect or incomplete SELinux security policy, whereas others may be prevented due to an attempted system compromise. The system log provides administrators with data useful in determining the reason operations were prevented so that appropriate action can be taken. The section of this chapter titled "Monitoring SELinux" explains the format of the log entries made by SELinux. Permissive mode is available only if your system's kernel was compiled with the option NSA SELinux Development support . Generally, Linux vendors compile their standard kernels with this option. However, if you compiled your own kernel, you may have omitted the option, in which case permissive mode won't be available. If you're especially concerned about the security of your system, you may prefer to compile a kernel without the NSA SELinux Development support option. Doing so ensures that the system always operates in enforcing mode. However if you do so, you may find it cumbersome to administer the system. For instance, you may install a new software package and find that the associated policy file isn't quite accurate or complete, causing the application to operate imperfectly. Without the ability to enter permissive mode, it may be difficult to troubleshoot and correct the problems with the policy file. Permissive mode is used when configuring, testing, and troubleshooting SELinux and the SELinux security policy. Under permissive mode, SELinux permits all operations, even those that violate the SELinux security policy. Nevertheless, SELinux writes log entries that would have been written had the system been in enforcing mode. Permissive mode enables a system administrator to observe the effects of experimental SELinux security policies without affecting the operation of the system. SELinux includes a special utility, Audit2allow, that can recommend SELinux policy changes based on log entries; the section of this chapter titled "Monitoring SELinux" explains this utility and how to use it to revise the SELinux security policy.  | Because an SELinux system operating in permissive mode does not prevent operations that violate its security policy, you generally should not put an SELinux system that resides in a hostile environment into permissive mode. Before putting the system into permissive mode, you should relocate it to a protected network, shut down vulnerable services, restrict remote logins, or otherwise secure the system. | |
|
