SELinux : Policy Type2022/03/11
If SELinux is in [Enforcing/Permissive], it's possible to choose Policy Type. You can modify the selected policy for your own environment if you need.
It's possible to set Policy Type in [/etc/selinux/config] file.
CentOS Stream 9 Default Policy is [targeted] Policy.
However, if you change the Policy Type, it needs to install Policy File.
For CentOS Stream 9 Minimal, only [targeted] Policy is installed by default.
If you change to a Policy without installing Policy File, System will not start, so Be Careful well.
|||Set Policy Type on [SELINUXTYPE=***] section.|
# default is [targeted]
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # See also: # https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes # # NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also # fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # # grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # # grubby --update-kernel ALL --remove-args selinux # SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
# for example, change to [mls] Policy
# install policy file first, don't forget it
dnf -y install selinux-policy-mls
# policy file is installed under [minimum] directory
total 8 -rw-r--r--. 1 root root 1187 Nov 25 18:03 config drwxr-xr-x. 6 root root 150 Mar 10 20:06 mls -rw-r--r--. 1 root root 2668 Feb 15 05:45 semanage.conf drwxr-xr-x. 5 root root 133 Mar 10 19:04 targeted
# change [SELINUXTYPE]
# change SELINUX mode to [permissive], too. to re-label files normally
..... ..... SELINUX=permissive # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are proo tected. # mls - Multi Level Security protection. SELINUXTYPE=mls
# set re-labeling and restart to apply changes
fixfiles -F onboot
System will relabel on next boot
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mls Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: denied Memory protection checking: actual (secure) Max kernel policy version: 33
There are 2 kinds of Policies provided with RPM Package such as examples in Configuration file.