AlmaLinux 9
Sponsored Link

SELinux : Operating Mode2023/02/20

 
This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux).
It's possible to use MAC (Mandatory Access Control) feature on AlmaLinux for various resources by SELinux.
[1] Confirm the current status of SELinux like follows.
(default mode is [Enforcing])
# display current mode

[root@dlp ~]#
getenforce

Enforcing
# enforcing   ⇒  SELinux is enabled (default)
# permissive  ⇒  MAC is not enabled, but only records audit logs according to Policies
# disabled    ⇒  SELinux is disabled

# also possible to display with the command

[root@dlp ~]#
sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[2] It's possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command.
But if AlmaLinux System is restarted, the mode returns to default.
[root@dlp ~]#
getenforce

Enforcing
# switch to [Permissive] with [setenforce 0]

[root@dlp ~]#
setenforce 0

[root@dlp ~]#
getenforce

Permissive
# switch to [Enforcing] with [setenforce 1]

[root@dlp ~]#
setenforce 1

[root@dlp ~]#
getenforce

Enforcing
[3] If you'd like to change Operating Mode permanently, change value in Configuration file.
[root@dlp ~]#
vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# See also:
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
#
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
#    grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
#    grubby --update-kernel ALL --remove-args selinux
#
# change value you'd like to set
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# restart to apply change

[root@dlp ~]#
[4] To disable SELinux, if you set [SELINUX=disabled] in configuration file as usual, SELinux runs with no policy loaded, however, if you'd like to fully disable it, add kernel parameter like follows.
# disable SELinux

[root@localhost ~]#
grubby --update-kernel ALL --args selinux=0
# restart to appy changes

[root@localhost ~]#
# to back to enabled, set like follows (need restarting)

[root@localhost ~]#
grubby --update-kernel ALL --remove-args selinux

[5] If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label the filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too.
# run the command, then re-labeling will be run on next booting

[root@dlp ~]#
fixfiles -F onboot

System will relabel on next boot
# the file is created with the command above

[root@dlp ~]#
ll /.autorelabel

-rw-r--r--. 1 root root 3 Mar 10 19:34 /.autorelabel
Matched Content