Confined and Unconfined states
1. How to Disable Protection of currently protected targeted Daemon (httpd) while SELinux runns at enforcing mode ?
Or
How to Disable a particular domain from SELinux protection while it runs in enforcing mode?
Or
Transition from confined state to unconfined state of a daemon
We will explain this with apache daemon. Lets start configuring apache from confined state to unconfined state.
Steps:
# ps -axZ |grep httpd
This will show the apache sandbox (Tuple) details or SELinux labeling httpd process .# cd /selinux
Inside this directory is a file called httpd_disable_trans, which controlls the httpd upon invication makes the transition from the default unconfined_t (unconfined) to httpd_t (confined)Step: 1
# echo "1 1" > /selinux/booleans/httpd_disable_trans
The file is overwritten by two values "1 1". The first value "1" is related to the currently running status of the daemon with respect to SELinux i.e, the service is currently being protected and the other value "1" is the pending value.Step: 2
# echo "1" > /selinux/commit_pending_bools
This makes the changes to booleans immediately, reloads SELinux policy (None of the other domains are effected)Step: 3
# service httpd restart
This cause the httpd service reload finishes the transition from confined (httpd_t) sandbox to unconfined (unconfined_t) sandbox, "which is not protected by the Targeted Policy ". This means the httpd service will be behaving like a typical Linux service.# ps -axZ |grep httpd
Now we can notice that the httpd has been moved from confined to unconfiend.2. Changing back httpd from unconfined to confined context.
# echo "0 0" > /selinux/booleans/httpd_disable_trans
# echo "1" > /selinux/commit_pending_bools
# service httpd restart
# ps -axZ
Now we can see that the httpd is running in confined.
# echo "1" > /selinux/commit_pending_bools
# service httpd restart
# ps -axZ
No comments:
Post a Comment
tag ur valuable ideas below