SELinux : Operating Mode2022/03/11 |
This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux).
It's possible to use MAC (Mandatory Access Control) feature on CentOS for various resources by SELinux.
|
|
[1] | Confirm the current status of SELinux like follows. (default mode is [Enforcing]) |
# display current mode [root@dlp ~]# getenforce Enforcing # enforcing ⇒ SELinux is enabled (default) # permissive ⇒ MAC is not enabled, but only records audit logs according to Policies # disabled ⇒ SELinux is disabled # also possible to display with the command [root@dlp ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 |
[2] | It's possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command. But if CentOS System is restarted, the mode returns to default. |
[root@dlp ~]#
getenforce Enforcing # switch to [Permissive] with [setenforce 0] [root@dlp ~]# setenforce 0 [root@dlp ~]# getenforce Permissive # switch to [Enforcing] with [setenforce 1] [root@dlp ~]# setenforce 1 [root@dlp ~]# getenforce Enforcing |
[3] | If you'd like to change Operating Mode permanently, change value in Configuration file. |
[root@dlp ~]#
vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # See also: # https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes # # NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also # fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # # grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # # grubby --update-kernel ALL --remove-args selinux # # change value you'd like to set SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted # restart to apply change [root@dlp ~]# |
[4] | To disable SELinux, if you set [SELINUX=disabled] in configuration file as usual, SELinux runs with no policy loaded, however, if you'd like to fully disable it, add kernel parameter like follows. |
# disable SELinux [root@localhost ~]# grubby --update-kernel ALL --args selinux=0
# to back to enabled, set like follows (need restarting) [root@localhost ~]# grubby --update-kernel ALL --remove-args selinux |
[5] | If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label the filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too. |
# run the command, then re-labeling will be run on next booting [root@dlp ~]# fixfiles -F onboot System will relabel on next boot # the file is created with the command above [root@dlp ~]# ll /.autorelabel -rw-r--r--. 1 root root 3 Mar 10 19:34 /.autorelabel |
Sponsored Link |