CentOS Stream 8
Sponsored Link

SELinux : Policy Type2021/03/02

 
If SELinux is in [Enforcing/Permissive], it's possible to choose Policy Type. You can modify the selected policy for your own environment if you need.
It's possible to set Policy Type in [/etc/selinux/config] file.
CentOS Stream 8 Default Policy is [targeted] Policy.
However, if you change the Policy Type, it needs to install Policy File.
For CentOS Stream 8 Minimal, only [targeted] Policy is installed by default.
If you change to a Policy without installing Policy File, System will not start, so Be Careful well.
[1] Set Policy Type on [SELINUXTYPE=***] section.
# default is [targeted]

[root@dlp ~]#
cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# for example, change to [minimum] Policy

# install policy file first, don't forget it

[root@dlp ~]#
dnf -y install selinux-policy-minimum
# policy file is installed under [minimum] directory

[root@dlp ~]#
ll /etc/selinux

total 8
-rw-r--r--. 1 root root  548 Feb 18 15:45 config
drwxr-xr-x. 5 root root  133 Feb 25 11:23 minimum
-rw-r--r--. 1 root root 2647 Feb  4 06:55 semanage.conf
drwxr-xr-x. 5 root root  133 Feb 25 11:21 targeted

[root@dlp ~]#
vi /etc/selinux/config
# change [SELINUXTYPE]
# change SELINUX mode to [permissive], too. to re-label files normally

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=minimum

# set re-labeling and restart to apply change

[root@dlp ~]#
touch /.autorelabel

[root@dlp ~]#
[root@dlp ~]#
sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             minimum    # changed
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[2] There are 3 kinds of Policies provided with RPM Package such as examples in Configuration file.
Policy Description
Targeted This Policy applies Access Controls to Proccesses that they are often targeted by attacking. (Default)
Minimum Included setting files of this Policy are the same with [Targeted] Policy but more minimum Proccesses are targeted for Access Controls than [Targeted] Policy.
MLS Multilevel Security Policy. It implements Bell-LaPadula (BLP) model and possible to apply more complex controls.

Matched Content