SELinux : Operating Mode
2016/07/26 |
This is the basic operations and configurations for SELinux (Security-Enhanced Linux).
It's possible to use MAC (Mandatory Access Control) function on CentOS for various resources by SELinux.
|
|
[1] | Confirm the current status of SELinux like follows. ( default mode is "Enforcing" ) |
# display current mode [root@dlp ~]# getenforce Enforcing # enforcing ⇒ SELinux is enabled (default) # permissive ⇒ MAC is not enabled, but only records audit logs according to Policies # disabled ⇒ SELinux is disabled # possible to display with the command, too ("Current mode" line) [root@dlp ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
[2] | It's possible to switch current mode between permissive and enforcing with setenforce command. But if System is restarted, the mode returns to default. |
[root@dlp ~]#
getenforce Enforcing # switch to "Permissive" with "setenforce 0" [root@dlp ~]# setenforce 0 [root@dlp ~]# getenforce Permissive # switch to "Enforcing" with "setenforce 1" [root@dlp ~]# setenforce 1 [root@dlp ~]# getenforce Enforcing |
[3] | If you'd like to change Operating Mode permanently, change value in Configuration file. |
[root@dlp ~]#
vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # change value you'd like to set SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted # restart to apply changing [root@dlp ~]# |
[4] | If you change the Operating Mode from "Disabled" to "Enforcing/Permissive", it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in "Disabled" mode, they are not labeled with SELinux Contexts, it needs to label to them, too. |
# set re-labeling like follows, then it will be done on next system restarting [root@dlp ~]# touch /.autorelabel [root@dlp ~]# |