Thursday, February 4, 2010

7. SELinux Targeted Policy (RedHat) - II


Confined and Unconfined states
1. How to Disable Protection of currently protected targeted Daemon (httpd) while SELinux runns at enforcing mode ?
Or
How to Disable a particular domain from SELinux protection while it runs in enforcing mode?
Or
Transition from confined state to unconfined state of a daemon

We will explain this with apache daemon. Lets start configuring apache from confined state to unconfined state.
Steps:
# ps -axZ |grep httpd
    This will show the apache sandbox (Tuple) details or SELinux labeling httpd process .
# cd /selinux
    Inside this directory is a file called httpd_disable_trans, which controlls the httpd upon invication makes the transition from the default unconfined_t (unconfined) to httpd_t (confined)

Step: 1
# echo "1 1" > /selinux/booleans/httpd_disable_trans
    The file is overwritten by two values "1 1". The first value "1" is related to the currently running status of the daemon with respect to SELinux i.e, the service is currently being protected and the other value "1" is the pending value.
Step: 2
# echo "1" > /selinux/commit_pending_bools
    This makes the changes to booleans immediately, reloads  SELinux policy (None of the other domains are effected)
Step: 3
# service httpd restart
    This cause the httpd service reload finishes the transition from confined (httpd_t) sandbox to unconfined (unconfined_t) sandbox, "which is not protected by the Targeted Policy ". This means the httpd service will be behaving like a typical Linux service.
# ps -axZ |grep httpd
    Now we can notice that the httpd has been moved from confined to unconfiend.

2. Changing back httpd from unconfined  to confined context.

# echo "0 0" > /selinux/booleans/httpd_disable_trans
# echo "1" > /selinux/commit_pending_bools
# service httpd restart
# ps -axZ
    Now we can see that the httpd is running in confined.

No comments:

Post a Comment

tag ur valuable ideas below