CentOS 6
Sponsored Link

SELinux : Operating Mode2016/07/26

 
This is the basic operations and configurations for SELinux (Security-Enhanced Linux).
It's possible to use MAC (Mandatory Access Control) function on CentOS for various resources by SELinux.
[1] Confirm the current status of SELinux like follows. ( default mode is "Enforcing" )
# display current mode

[root@dlp ~]#
getenforce

Enforcing
# enforcing   ⇒ SELinux is enabled (default)
# permissive  ⇒ MAC is not enabled, but only records audit logs according to Policies
# disabled    ⇒ SELinux is disabled

# possible to display with the command, too ("Current mode" line)

[root@dlp ~]#
sestatus

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[2] It's possible to switch current mode between permissive and enforcing with setenforce command. But if System is restarted, the mode returns to default.
[root@dlp ~]#
getenforce

Enforcing
# switch to "Permissive" with "setenforce 0"

[root@dlp ~]#
setenforce 0

[root@dlp ~]#
getenforce

Permissive
# switch to "Enforcing" with "setenforce 1"

[root@dlp ~]#
setenforce 1

[root@dlp ~]#
getenforce

Enforcing
[3] If you'd like to change Operating Mode permanently, change value in Configuration file.
[root@dlp ~]#
vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# change value you'd like to set
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# restart to apply changing

[root@dlp ~]#
[4] If you change the Operating Mode from "Disabled" to "Enforcing/Permissive", it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in "Disabled" mode, they are not labeled with SELinux Contexts, it needs to label to them, too.
# set re-labeling like follows, then it will be done on next system restarting

[root@dlp ~]#
touch /.autorelabel

[root@dlp ~]#
Matched Content