CentOS Stream 9
Sponsored Link

SELinux : Policy Type2022/03/11

 
If SELinux is in [Enforcing/Permissive], it's possible to choose Policy Type. You can modify the selected policy for your own environment if you need.
It's possible to set Policy Type in [/etc/selinux/config] file.
CentOS Stream 9 Default Policy is [targeted] Policy.
However, if you change the Policy Type, it needs to install Policy File.
For CentOS Stream 9 Minimal, only [targeted] Policy is installed by default.
If you change to a Policy without installing Policy File, System will not start, so Be Careful well.
[1] Set Policy Type on [SELINUXTYPE=***] section.
# default is [targeted]

[root@dlp ~]#
cat /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# See also:
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
#
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
#    grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
#    grubby --update-kernel ALL --remove-args selinux
#
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# for example, change to [mls] Policy
# install policy file first, don't forget it

[root@dlp ~]#
dnf -y install selinux-policy-mls
# policy file is installed under [minimum] directory

[root@dlp ~]#
ll /etc/selinux

total 8
-rw-r--r--. 1 root root 1187 Nov 25 18:03 config
drwxr-xr-x. 6 root root  150 Mar 10 20:06 mls
-rw-r--r--. 1 root root 2668 Feb 15 05:45 semanage.conf
drwxr-xr-x. 5 root root  133 Mar 10 19:04 targeted

[root@dlp ~]#
vi /etc/selinux/config
# change [SELINUXTYPE]
# change SELINUX mode to [permissive], too. to re-label files normally

.....
.....
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are proo
tected.
#     mls - Multi Level Security protection.
SELINUXTYPE=mls

# set re-labeling and restart to apply changes

[root@dlp ~]#
fixfiles -F onboot

System will relabel on next boot
[root@dlp ~]#
[root@dlp ~]#
sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mls
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[2]
There are 2 kinds of Policies provided with RPM Package such as examples in Configuration file.
Policy Description
Targeted This Policy applies Access Controls to Proccesses that they are often targeted by attacking. (Default)
MLS Multilevel Security Policy. It implements Bell-LaPadula (BLP) model and possible to apply more complex controls.

Matched Content