From the course: Red Hat Certified System Administrator (EX200) Cert Prep: 2 File Access, Storage, and Security

Set enforcing and permissive modes for SELinux

From the course: Red Hat Certified System Administrator (EX200) Cert Prep: 2 File Access, Storage, and Security

Start my 1-month free trial

Set enforcing and permissive modes for SELinux

- [Narrator] Before we can talk about the SELinux mandatory access control system, we need to cover a few terms. Discretionary access control, is a means of restricting access to objects, based on the identity of the subjects, and or the groups to which they belong. This access control is discretionary, in that a subject with certain permissions can pass those permissions on to other subjects. Standard Linux permissions, access control lists, SUID and SGID special bits, as well as SU/SUDO, are examples of discretionary access control. Who the subject is, determines what they can do based on their ownership. Mandatory access control is an additional layer over discretionary access control. With mandatory access control, the operating system constraints the ability of a subject to access an object. Mandatory access control is made up of rules allowing subjects some sort of access to objects. Subjects are user processes which are run by users. Objects are the resources they are trying to access such as files, directories, IO devices, pipes, network ports and so on. The access is an action performed by the subject on the object such as read, write, delete, or create. Let's take a look at an example. A subject such as a user runs a program. That will attempt a start operation on the object. In this case, the object is filed at TXT, and then we'll attempt a read operation on the same object. When the subject tries to save the changes, it will attempt a right action on the object. A rule allows or denies subjects from performing actions on specific objects. A rule may be specific about which subjects, which actions are allowed or denied, and on which objects. The security policy is the system wide set of rules, defining what the subjects can do to the objects. The security context or label, is the tags that SELinux stores, for subjects and objects. All subjects and objects will have a security context. This security context is stored in the extended attributes section of the file Metadata. Let's look at the process of subjects accessing objects again, but this time add in the SELinux bits. The subject in this case, Vim requests access to the object, which is field at TXT. The SELinux security server queries the SELinux policy database of rules. If based on those rules, permission is granted, then Vim will access file that TXT. If permission is not granted, then a denied access message will be added to the access vector cash. These messages are available to the operating system log files. SELinux has several operating modes, enforcing mode, where the security policy is being enforced. Permissive mode, where the policy is consulted, and messages are printed, but the policy is not enforced. This is good for troubleshooting SELinux policy issues. The application is allowed to run, and all policy violations allowed. Note, there are times when having SELinux set to permissive, will still deny a subject accessing an object, but it's usually not a problem. Disabled is just that. SELinux is turned off, and no mandatory access control system is in place. I do not recommend turning SELinux off. SELinux has different enforcement policies. Type enforcement, is the default type of mandatory access control used in the targeted policy. All subjects and objects are tagged with a type in the security context. The rules determine which types can act on which other types. There's also role-based access control, which assigns a role to SELinux users and enforces access control that way. SELinux also supports multi-level security, which assigns a security level to various subjects and objects. For instance, in a military environment, you may have a certain clearance level which gives you access to certain resources. Multi-category is similar, in that it categorizes objects, and makes policy decisions based on the category. This is useful with containerization of processes. Let's go to a terminal and get the current SELinux mode. On the terminal type in se status, hit enter. This shows we're using the targeted policy, and it's being enforced. Remember that the targeted policy uses type enforcement, and as a command that we can use to get this information, is get in force. Type in get, and force, and hit enter. We can alter the SELinux mode in real time by using sudden force. Type in clear, and type in sudo setenforce permissive, and hit enter. And type in your password I've prompted, and then verify using getenforce. We can now see that we're in permissive mode. This change is temporary, and if we want it to survive a reboot, we have to edit this slash at e/selinux/configfile and reboot. Let's take a look at it Table in less /etc/selinux/config and hit enter. If you wanted to change SELinux into permissive mode, we'd change SELinux equals enforcing, to SELinux equals permissive, and then we'd save the file and reboot the system. Also, if you want to disable SELinux, it cannot be done live. This configuration file needs to be edited, and the system has to be rebooted.

Contents