How to Use the Command 'semanage permissive' (with examples)

The semanage permissive command is a tool for managing Security-Enhanced Linux (SELinux) policies, specifically around permissive domains. SELinux is a security architecture integrated into the Linux kernel that provides a mechanism for supporting access control security policies. The semanage permissive command is used to manage SELinux permissive domains, which are exceptions in SELinux’s otherwise strict policy enforcement. A permissive domain allows a specific process type to run without being confined by SELinux, logging what permissions would have been denied if the policy were enforced. This is particularly useful for troubleshooting and transitioning to a full enforcement mode without directly affecting the operation of services.

Use Case 1: List all process types that are in permissive mode

Code:

sudo semanage permissive -l

Motivation:

Before altering or diagnosing the SELinux policy for particular processes, it is important to know which domains are currently running in permissive mode. These domains are essentially unconfined, and using semanage permissive -l provides a complete list of such domains. This can help system administrators identify which processes have exceptions applied against SELinux policies, allowing them to further investigate or adjust configurations as needed.

Explanation:

• sudo: Used to run the command with root privileges, which is necessary for commands interacting with SELinux policies.
• semanage: This is the primary command that is used to manage SELinux policies.
• permissive: Specifies that the command is concerned with handling permissive domains.
• -l or --list: An option to output a list of all permissive domains currently active on the system.

Example Output:

SELinux Permissive Types
httpd_t
postgresql_t

This output indicates that both httpd_t and postgresql_t are currently permissive, which means they can operate without restriction by SELinux while still logging what actions would have been blocked.

Use Case 2: Set or unset permissive mode for a domain

Code:

sudo semanage permissive -a httpd_t

Motivation:

Transitioning a domain into permissive mode is a strategy often used for debugging and testing. It provides a way to monitor what security measures would be enforced by SELinux without actually applying them, thus allowing the associated service (in this case, the web server running under httpd_t domain) to operate while logging denied requests for developers and administrators to review. This is also useful when a new service is being integrated and initial policy configurations are underway.

Explanation:

• sudo: Grants root privileges necessary for modifying SELinux policies.
• semanage: Command used for administering SELinux policies.
• permissive: Indicates the type of operation to be performed on the domain.
• -a or --add: This option sets the specified domain (httpd_t) into permissive mode, allowing it to function without restriction while still logging actions that would otherwise be blocked.

Example Output:

Adding httpd_t to the list of permissive domains

This message confirms that the httpd_t domain has been successfully set to permissive mode, thereby logging potential policy violations without enforcing them.

To switch a domain back to enforcing mode, you would use -d or --delete:

sudo semanage permissive -d httpd_t

Example Output:

Removing httpd_t from the list of permissive domains

This informs you that httpd_t is no longer permissive and is back under normal SELinux enforcement.

Conclusion:

The semanage permissive command provides critical functionality for managing SELinux policies. By listing and managing permissive domains, system administrators have the flexibility to troubleshoot, test, and gradually implement SELinux configurations without disrupting service availability. Properly utilizing this tool can greatly enhance security posture while maintaining operational efficiency.