* Strange behavior (?)
@ 2001-12-14 8:26 Justin Smith
2001-12-14 13:35 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Justin Smith @ 2001-12-14 8:26 UTC (permalink / raw)
To: selinux
It seems that my system occasionally toggles into permissive mode for no
apparent reason.
Also, whenever I reboot, it seems to boot up in permissive mode. Is this
normal behavior? Is there a way to configure it to boot in enforcing
mode?
--
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Strange behavior (?)
2001-12-14 8:26 Strange behavior (?) Justin Smith
@ 2001-12-14 13:35 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2001-12-14 13:35 UTC (permalink / raw)
To: Justin Smith; +Cc: selinux
On 14 Dec 2001, Justin Smith wrote:
> It seems that my system occasionally toggles into permissive mode for no
> apparent reason.
The only situations where the SELinux development module should revert to
permissive mode after being toggled into enforcing mode are:
1) when you reboot the system,
2) when you run avc_toggle from a domain that has avc_toggle permission
(the initrc_t domain and the sysadm_t domain in the example policy).
When you next encounter this behavior, please verify that your system
wasn't rebooted (e.g. last reboot) and that no one ran avc_toggle again.
To verify that no one ran avc_toggle, add an auditallow rule so that it
will be audited when it is allowed as well as when it is denied:
auditallow { initrc_t admin } kernel_t:system avc_toggle;
You should then see the following message when an avc_toggle occurs:
avc: granted { avc_toggle } for ...
> Also, whenever I reboot, it seems to boot up in permissive mode. Is this
> normal behavior? Is there a way to configure it to boot in enforcing
> mode?
Yes, this is the normal behavior. Please read the help text for the NSA
SELinux Development Module option (select help from the 'make menuconfig'
when you are looking at that option, or just read it directly from the
Documentation/Configure.help file). As noted there, you can either put
avc_toggle in an rc script to switch into enforcing mode while booting
(leaving open the option of later switching back to permissive mode from
an authorized domain) or you can rebuild the kernel without the option (in
which case the kernel will always be enforcing and cannot be toggled). If
you do the latter, be sure to keep a copy of a development kernel
available so that you can do emergency recovery if you mess up your
policy.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2001-12-14 13:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-12-14 8:26 Strange behavior (?) Justin Smith
2001-12-14 13:35 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.