Rocky_Linux_8
Sponsored Link

SELinux : Operating Mode2021/07/22

 
This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux).
It's possible to use MAC (Mandatory Access Control) feature on Rocky Linux for various resources by SELinux.
[1] Confirm the current status of SELinux like follows. (default mode is [Enforcing])
# display current mode

[root@dlp ~]#
getenforce

Enforcing
# enforcing   ⇒  SELinux is enabled (default)
# permissive  ⇒  MAC is not enabled, but only records audit logs according to Policies
# disabled    ⇒  SELinux is disabled

# also possible to display with the command ([Current mode] line)

[root@dlp ~]#
sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[2] It's possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command.
But if Rocky Linux is restarted, the mode returns to default.
[root@dlp ~]#
getenforce

Enforcing
# switch to [Permissive] with [setenforce 0]

[root@dlp ~]#
setenforce 0

[root@dlp ~]#
getenforce

Permissive
# switch to [Enforcing] with [setenforce 1]

[root@dlp ~]#
setenforce 1

[root@dlp ~]#
getenforce

Enforcing
[3] If you'd like to change Operating Mode permanently, change value in Configuration file.
[root@dlp ~]#
vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# change value you'd like to set
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# restart to apply change

[root@dlp ~]#
[4] If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label the filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too.
# set re-labeling like follows, then it will be set on next system booting

[root@dlp ~]#
touch /.autorelabel

[root@dlp ~]#
Matched Content