Manualshelf

Using SELinux on an ICE-Linux CMS

ManualsBrandsHP ManualsSoftwareHP Insight Control for Linux Media Kit
12345678910
2
Abstract
This white paper is intended for IT professionals interested in using ICE-Linux with Security-Enhanced
Linux (SELinux) extensions enabled on Central Management Server (CMS) running Red Hat®
Enterprise Linux 5 (RHEL 5). This document does not explain how to use SELinux with ICE-Linux on Red
Hat Enterprise Linux 4, which is based on a deprecated sample SELinux policy. This is not a complete
walk-through of SELinux administration either; some advanced topics, such as writing more strict
policies or compiling your own policy from scratch, are not covered. The procedure outlined within
this white paper removes a few restrictions from the standard Red Hat SELinux policy to allow the
operation of ICE-Linux.
Topics explored in this white paper include SELinux access violations, policy Boolean variables, policy
modules, and audit log analysis. With a combined understanding of these topics, you should be well
prepared to write and install your own SELinux policy modules. You can then use these modules to
enable ICE-Linux to monitor your environment as intended with the added security of SELinux.
Introduction
ICE-Linux is a suite of plug-ins for HP Systems Insight Manager (SIM) that enables a deeper, more
comprehensive monitoring of systems on a network running Red Hat Enterprise Linux or Novell®
SUSE® Linux Enterprise Server (SLES). It also provides tools for image provisioning and management.
SELinux is a mandatory access control security mechanism in the Linux® kernel. It provides an
additional layer of flexible security enforcement to verify actions after the standard Linux discretionary
access controls are evaluated.
Getting Started
This white paper makes a few assumptions of the reader. Namely, you should:
Be familiar with the normal day-to-day usage of your ICE-Linux CMS
Be comfortable using the terminal window.
Have a working ICE-Linux Central Management Server (CMS) with SELinux currently in permissive
mode, or disabled.
Have root access privileges on the ICE-Linux CMS, and follow the procedures in this document
using this account.
Some understanding of SELinux is helpful, but it is not required.
Entering Permissive Mode
SELinux has three modes of operation:
enforcing
disabled
permissive
The first two modes are self explanatory. “Permissive” mode logs every SELinux policy violation, but
still allows the actions to proceed. It is a great way to troubleshoot and diagnose policy violations
without interrupting day-to-day activities. Policy violations are logged either to the
/var/log/messages log file, or to the /var/log/audit/audit.log file if you are using