لطفا منتظر باشید ...
4.1 System Modes and SELinux Tuning
As mentioned, SELinux provides a
special mode called permissive mode
that's useful for policy troubleshooting
and system maintenance. SELinux's other operating
mode is called enforcing mode
(sometimes called enforcement mode). Enforcing
mode is the normal mode of SELinux operation. Under enforcing mode,
operations that violate the SELinux security policy are prevented. Generally,
when an operation is prevented, an entry is also written to the
system log so that a system administrator can learn what operations
have been prevented and why. Some operations may be prevented due to
an incorrect or incomplete SELinux security policy, whereas others
may be prevented due to an attempted system compromise. The system
log provides administrators with data useful in determining the
reason operations were prevented so that appropriate action can be
taken. The section of this chapter titled
"Monitoring SELinux" explains the
format of the log entries made by SELinux.Permissive mode is available only if your system's
kernel was compiled with the option NSA SELinux
Development support. Generally, Linux vendors compile
their standard kernels with this option. However, if you compiled
your own kernel, you may have omitted the option, in which case
permissive mode won't be available.If you're especially concerned about the security of
your system, you may prefer to compile a kernel without the
NSA SELinux Development support option. Doing so
ensures that the system always operates in enforcing mode. However if
you do so, you may find it cumbersome to administer the system. For
instance, you may install a new software package and find that the
associated policy file isn't quite accurate or
complete, causing the application to operate imperfectly. Without the
ability to enter permissive mode, it may be difficult to troubleshoot
and correct the problems with the policy file.Permissive mode is used when configuring, testing, and
troubleshooting SELinux and the SELinux security policy. Under
permissive mode, SELinux permits all operations, even those that
violate the SELinux security policy. Nevertheless, SELinux writes log
entries that would have been written had the system been in enforcing
mode. Permissive mode enables a system administrator to observe the
effects of experimental SELinux security policies without affecting
the operation of the system. SELinux includes a special utility,
Audit2allow, that can recommend SELinux policy changes based on log
entries; the section of this chapter titled
"Monitoring SELinux" explains this
utility and how to use it to revise the SELinux security policy.
Because an SELinux system operating in permissive mode does not
prevent operations that violate its security policy, you generally
should not put an SELinux system that resides in a hostile
environment into permissive mode. Before putting the system into
permissive mode, you should relocate it to a protected network, shut
down vulnerable services, restrict remote logins, or otherwise secure
the system.
