SELinux : Policy Type
2016/07/26 |
If SELinux is in "Enforcing/Permissive", it's possible to choose Policy Type.
You can modify the selected policy for your own environment if you need.
It's possible to set Policy Type in /etc/selinux/config file.
CentOS 6 Default Policy is "targeted" Policy.
However, if you change the Policy Type, it needs to install Policy File.
For CentOS 6 Minimal, only "targeted" Policy is installed by default.
If you change to a Policy without installing Policy File, System will not start, so Be Careful.
|
|
[1] | Set Policy Type on "SELINUXTYPE=***" section. |
# default is "targeted" [root@dlp ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted # for example, change to "minimum" Policy # install Policy File first, don't forget it [root@dlp ~]# yum -y install selinux-policy-minimum # Policy File is installed under "minimum" directory [root@dlp ~]# ll /etc/selinux total 24 -rw-r--r--. 1 root root 458 Jul 27 16:17 config drwxr-xr-x. 6 root root 4096 Jul 27 17:36 minimum -rw-r--r--. 1 root root 113 May 11 07:57 restorecond.conf -rw-r--r--. 1 root root 76 May 11 07:57 restorecond_user.conf -rw-r--r--. 1 root root 2271 Jul 24 2015 semanage.conf drwxr-xr-x. 6 root root 4096 Jul 27 16:19 targeted
[root@dlp ~]#
vi /etc/selinux/config # change "SELINUXTYPE" section
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=minimum
[root@dlp ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: minimum # just changed
|
[3] | There are 3 kinds of Policies provided with RPM Package such as examples in Configuration file.
|