Rocky_Linux_8
Sponsored Link

SELinux : Policy Type2021/07/22

 
If SELinux is in [Enforcing/Permissive], it's possible to choose Policy Type.
You can modify the selected policy for your own environment if you need.
It's possible to set Policy Type in [/etc/selinux/config] file.
Rocky Linux 8 Default Policy is [targeted] Policy.
However, if you change the Policy Type, it needs to install Policy File.
For Rocky Linux 8 Minimal, only [targeted] Policy is installed by default.
If you change to a Policy without installing Policy File, System will not start, so Be Careful well.
[1] Set Policy Type on [SELINUXTYPE=***] section.
# default is [targeted]

[root@dlp ~]#
cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# for example, change to [minimum] Policy

# install policy file first, don't forget it

[root@dlp ~]#
dnf -y install selinux-policy-minimum
# policy file is installed under [minimum] directory

[root@dlp ~]#
ll /etc/selinux

total 8
-rw-r--r--. 1 root root  548 Jul 16 09:10 config
drwxr-xr-x. 5 root root  133 Jul 22 10:28 minimum
-rw-r--r--. 1 root root 2647 May 19 11:45 semanage.conf
drwxr-xr-x. 5 root root  133 Jul 22 10:26 targeted

[root@dlp ~]#
vi /etc/selinux/config
# change [SELINUXTYPE]

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=minimum

# set re-labeling and restart to apply change

[root@dlp ~]#
touch /.autorelabel

[root@dlp ~]#
[root@dlp ~]#
sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             minimum
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[2] There are 3 kinds of Policies provided with RPM Package such as examples in Configuration file.
Policy Description
Targeted This Policy applies Access Controls to Proccesses that they are often targeted by attacking. (Default)
Minimum Included setting files of this Policy are the same with [Targeted] Policy but more minimum Proccesses are targeted for Access Controls than [Targeted] Policy.
MLS Multilevel Security Policy. It implements Bell-LaPadula (BLP) model and possible to apply more complex controls.

Matched Content