SELinux [Electronic resources] نسخه متنی

Chapter 4. Using and Administering SELinux

At this point we'll assume your SELinux system has
been installed and that you are ready to log in. This chapter lays
out the first administrative tasks you need to do and some ongoing
administrative tools you'll want to know about as
you continue to add software and users to your system.

As with any multiuser system, you have to create accounts for users
and assign them the proper privileges. In SELinux these tasks are not
much more complicated than in other systems, although
you'll have to learn some new commands to carry them
out. And in the future, after SELinux has become widely adopted, the
wrinkles have been ironed out, and thoroughly tested policy files are
available, these typical sysadmin tasks may be all
that's involved for most people running SELinux.

But unfortunately, we are not yet at that stage of maturity. As
explained in earlier chapters, each release of SELinux on each
distribution has its own rough spots. These will be manifested in
various hard-to-diagnose ways, including:

Users being unable to log in

Users logging in but having their X desktops or particular
applications freeze

Applications failing (silently or with obnoxious complaints) because
they cannot access files or other necessary resources

Thus, basic sysadmin tasks for SELinux include checking log files and
tracing what has happened to users and applications. This chapter
contains a substantial section to help you understand SELinux logging
and make use of that information to change permissions on users and
files.

Furthermore, SELinux has a built-in troubleshooting method known as
permissive mode to help you figure out what changes to make. In
permissive mode, SELinux does not actually stop anybody from doing
anything. In other words, you do not actually have a secure SELinux
system. (Traditional Unix security is still operational, though.) You
should learn how to switch to and from permissive modeon a
non-production system in a safe environment, of coursein order
to find out what changes you need to make in order to let users and
applications run on your system.

When you make changes to your system, you may have to rebuild the
policy files SELinux uses to control access or relabel files.
Sometimes you can install software seamlessly, and SELinux
automatically does the right thing. But in other cases, the policies
or labels become out of sync with the system.

The topics in this chapter include:

Permissive mode

Rebuilding policies

Labeling files

Routine system administration (changing roles, adding users, and
checking file contexts)

Monitoring SELinux through log files

Miscellaneous troubleshooting

Some administrative tasks go beyond the use of SELinux commands and
require you to actually change SELinux policy files. These will be
the subjects of several later chapters.