Manualshelf

Using SELinux on an ICE-Linux CMS

ManualsBrandsHP ManualsSoftwareHP Insight Control for Linux Media Kit
12345678910
3
auditd. Policy violation messages are generated by the SELinux Access Vector Cache, or AVC,
which tags each of these violations with an AVC.
The /etc/selinux/config configuration file controls the SELinux mode of operation, and it is
consulted at boot time. Leaving or entering disabled mode will require a reboot; however switching
between the permissive and enforcing modes will not. Running a system in disabled mode will also
leave the system in a degraded state with respect to SELinux because newly-created files are not be
correctly labeled with SELinux security information. When switching a system from running in disabled
to permissive or enforcing modes, the administrator should ensure the entire file system is labeled
correctly. Thus, HP recommends using only the permissive and enforcing modes. Use the following
procedure to set SELinux into permissive mode:
1. Edit /etc/selinux/config file using any text editor. Set the SELINUX variable to
permissive.
2. Reboot the CMS.
After following this procedure, the system should boot into permissive mode. Later, after developing
an SELinux policy module, the system will not need to be rebooted to begin enforcing it.
After the system is in permissive mode, you can use a troubleshooting GUI to watch policy violations
appear. You can start this GUI either by running sealert -b on the command line or by navigating
the desktop menu that came with the distribution. In RHEL 5, GNOME is the default GUI, and you can
find the sealert program by clicking the SystemAdministrationSELinux Troubleshooter menu
item. This program relies on a daemon called setroubleshootd, running in the background to
monitor logs, so, if access violations do not to appear, ensure this daemon is running with the
following command:
# ps aux | grep setroubleshootd
If there is no setroubleshootd process, start it with the service command as follows:
# service setroubleshoot start
You can also start the daemon manually with the following command:
# setroubleshootd
Collecting Violation Data
After access violations appear in the log, click on one of them to obtain a wealth of information
provided by the Troubleshooter. It will contain a summary of the violation, suggestions on how to
allow the access (treat them as informational for now; do not follow them), and the raw AVC message
at the bottom, which will become important to us later. See Appendix B
for a sample log entry in the
sealert graphic user interface. (GUI)
The goal now is to violate the standard Reference Policy provided by RHEL 5 as much as possible to
obtain a list of access violations. Since the system is in permissive mode, everything should work as it
did before, and it will eventually have a list of violations specific to the running environment. This is
especially important if you have third party applications or custom scripts that violate policy as well.
Verify scheduled tasks in HP SIM and cronjobs to ensure that they do not violate SELinux policy.