SELinux : Policy Type2021/03/02 |
If SELinux is in [Enforcing/Permissive], it's possible to choose Policy Type.
You can modify the selected policy for your own environment if you need.
It's possible to set Policy Type in [/etc/selinux/config] file.
CentOS Stream 8 Default Policy is [targeted] Policy.
However, if you change the Policy Type, it needs to install Policy File.
For CentOS Stream 8 Minimal, only [targeted] Policy is installed by default.
If you change to a Policy without installing Policy File, System will not start, so Be Careful well.
|
|
[1] | Set Policy Type on [SELINUXTYPE=***] section. |
# default is [targeted] [root@dlp ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted # for example, change to [minimum] Policy # install policy file first, don't forget it [root@dlp ~]# dnf -y install selinux-policy-minimum
# policy file is installed under [minimum] directory [root@dlp ~]# ll /etc/selinux total 8 -rw-r--r--. 1 root root 548 Feb 18 15:45 config drwxr-xr-x. 5 root root 133 Feb 25 11:23 minimum -rw-r--r--. 1 root root 2647 Feb 4 06:55 semanage.conf drwxr-xr-x. 5 root root 133 Feb 25 11:21 targeted
[root@dlp ~]#
vi /etc/selinux/config # change [SELINUXTYPE] # change SELINUX mode to [permissive], too. to re-label files normally # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=minimum[root@dlp ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: minimum # changed
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
|
[2] | There are 3 kinds of Policies provided with RPM Package such as examples in Configuration file.
|
Sponsored Link |
|