SELinux Lockdown Part Three: Permissive Mode Vs. Permissive Domains

The SELinux Permissive Mode is a state where SELinux permits violation of SELinux policy system wide. In this system wide permissive state policy violations are merely logged. Permissive Mode can be used to troubleshoot and test SELinux related issues. The complication with a system wide permissive state is that is is wise to operate it in a safe environment and out of production. In some rare scenarios one could consider minimizing the risks that come with Permissive Mode by using the SEPermit Pluggable Authentication Module, but often this measure is not suffice because that only disables Linux user logins. System services remain vulnerable to policy violations.

Recently SELinux Permissive Domains were introduced to mitigate these issues. With Permissive Domains one can run a single SELinux Security Domain in a permissive state. By using Permissive Domains you can keep your system in production and for example disable public access to the Permissive Domain using IPTables, TCP Wrappers, PAM or using other methods.

The semanage command can be used to add and delete SELinux Permissive Domains. You do need to know in which Security Domain a process runs in order to make this Security Domain a Permissive Domain. The ps command used with the -Z option can help you find this information.

Example of how to make the Security Domain called httpd_t for Apache a Permissive Domain:

sudo semanage permissive -a httpd_t

Example of how to make the Security Domain called httpd_t for Apache be enforced again by SELinux:

sudo semanage permissive -d httpd_t

Example of how to use the semanage command to list SELinux Permissive Domains:

sudo semanage permissive -l

Conclusion:

Prefer SELinux Permissive Domains over Permissive Mode.
Add, list and delete Permissive domains with the semanage command.

Refer: man semanage, man tcpd, man pam_sepermit, man iptables