SELinux : Operating Mode2025/10/22 |
|
This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux). It's possible to use MAC (Mandatory Access Control) feature on openSUSE for various resources by SELinux. |
|
| [1] | Confirm the current status of SELinux like follows. (default mode is [Enforcing]) |
|
# display current mode dlp:~ # getenforce Enforcing # enforcing ⇒ SELinux is enabled (default) # permissive ⇒ MAC is not enabled, but only records audit logs according to Policies # disabled ⇒ SELinux is disabled # also possible to display with the command dlp:~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 |
| [2] | It's possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command. But if SUSE System is restarted, the mode returns to default. |
|
dlp:~ #
getenforce Enforcing # switch to [Permissive] with [setenforce 0] dlp:~ # setenforce 0 dlp:~ # getenforce Permissive # switch to [Enforcing] with [setenforce 1] dlp:~ # setenforce 1 dlp:~ # getenforce Enforcing |
| [3] | If you'd like to change Operating Mode permanently, change value in Configuration file. |
|
dlp:~ #
vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELinux can be completly disabled with the "selinux=0" kernel # commandline option. # # SELINUX= can take one of these two values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # Previously SELinux could be disabled by changing the value to # 'disabled'. This is deprecated and should not be used anymore. # If you want to disable linux add 'selinux=0' to the kernel # command line. For details see # https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable # change value you'd like to set SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. SELINUXTYPE=targeted # restart to apply change dlp:~ # |
| [4] | To disable SELinux, set the kernel parameters to disable it. |
|
dlp:~ #
vi /etc/default/grub # line 11 : change to [selinux=0] GRUB_CMDLINE_LINUX_DEFAULT="mitigations=auto quiet security=selinux selinux=0" # apply changes dlp:~ # grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found theme: /boot/grub2/themes/openSUSE/theme.txt Found linux image: /boot/vmlinuz-6.12.0-160000.5-default Found initrd image: /boot/initrd-6.12.0-160000.5-default Warning: os-prober will be executed to detect other bootable partitions. Its output will be used to detect bootable binaries on them and create new boot entries. 37.452022 | DM multipath kernel driver not loaded Adding boot menu entry for UEFI Firmware Settings ... done # restart to enable the new setting dlp:~ # |
| [5] | If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label the filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too. |
|
# run the command, then re-labeling will be run on next booting dlp:~ # fixfiles -F onboot System will relabel on next boot # the file is created with the command above dlp:~ # ll /.autorelabel -rw-r--r--. 1 root root 3 Oct 22 08:45 /.autorelabel |
| Sponsored Link |
|
|