Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Chapter 8. Customizing and Writing Policy

WarningWarning
 

The commands and steps covered in this chapter may render your system inoperable or unable to be supported.

Nothing in this chapter should be performed on a production system without having been thoroughly tested in a development or sandbox environment first.

If you are going to compile and install a custom policy, be prepared to take the actions you need to safeguard your data and installation. Proper backup procedures, change reversal plans, and an informed methodology are key to your success.

This chapter discusses troubleshooting and customizing your SELinux policy and presents a methodology for writing policy. Specific cautions are discussed.

NoteNote
 

Presenting a comprehensive guide to writing policy is not within the scope for this book. For more information on writing policy, refer to the resources in Chapter 9 References.

For this reason, the policy writing guidelines presented here are generic. Generic ideas are easier to apply to your unique environment.

If the resources and general methodologies are not sufficient for your policy writing needs, contact Red Hat support or sales for information about policy writing services.

8.1. General Policy Troubleshooting Guidelines

When troubleshooting, use the kernel boot parameter selinux=0 as a last resort. If using setenforce during runtime is not sufficient, try booting with enforcing=0 to switch to permissive mode. You still have SELinux checking enabled and avc: denied messages logged to $AUDIT_LOG, but the enforcing is disabled.

By troubleshooting with SELinux enabled, you can more easily identify and resolve problems. For example, if SELinux is fully disabled, the -Z option is not available for finding the security context of objects. You are not able to relabel a file or the file system with SELinux disabled. Finally, any new files or directories you create have no SELinux security attributes, causing more problems when you boot into SELinux.

Save selinux=0 and SELINUX=disabled in /etc/sysconfig/selinux/ for longer-term disabling.

 
 
  Published under the terms of the GNU General Public License Design by Interspire