Manualshelf

Using SELinux on an ICE-Linux CMS

ManualsBrandsHP ManualsSoftwareHP Insight Control for Linux Media Kit
12345678910
5
After the policy sources are verified to allow what should be allowed, and with the .pp file in hand,
load it with the following command:
# semodule -i local.pp
The policy is now loaded, and additional AVC messages from actions previously in violation of the
policy should cease to appear. To remove a currently installed policy module, use the -r option and
supply the module name:
# semodule -r local
For a list of currently installed modules, run the following command:
# semodule -r
For more information, see the semodule(8) manpage.
Appendix C
is the source for a sample policy that was developed on a system running only ICE-Linux.
To allow the most common ICE-Linux policy violations, it can be used with the checkmodule
command to generate a policy module. Note that this command is included in the checkpolicy RPM,
so, to use it, the RPM must be installed. The recommended usage is:
# checkmodule -M -m -o local.pp sample.te
HP requires the -M option, which enables Multi-Level Security and Multi-Category Security.
(MLS/MCS) The default policy included with RHEL 5 is MLS/MCS enabled, and policy modules
generated without it enabled are not supported by Red Hat. The -m option compiles a module;
omitting it causes the checkmodule command to check the syntax of the .te file only, then to exit.
The -o option indicates that an alternate name is used for the binary module file, in this case,
local.pp. Finally, assuming local as the argument for the -o option, load the resultant policy
module as in the previous procedure:
# semodule -i sample.pp
Enforce the New Policy
After the policy modules to accommodate ICE-Linux and any third-party add-ons or customized scripts
are installed, the last step is to begin enforcing the new SELinux policy. This is accomplished with the
setenforce command:
# setenforce 1
SELinux will now enforce the currently loaded policy. SELinux can be switched back to permissive
mode by using a 0 instead of a 1 in the command above. You do not need to be in permissive mode
to make policy changes, however permissive mode may display more policy violations. If an action
violates a policy in multiple ways, only the first violation is displayed if SELinux is in enforcing mode
because the action is prevented immediately. For this reason, HP recommends that when a violation
(that you want to allow) does occur, SELinux should be set to permissive mode and then the action
should be repeated.