CentOS 6 : SELinux : Policy Type : Server World

SELinux : Policy Type

2016/07/26

If SELinux is in "Enforcing/Permissive", it's possible to choose Policy Type. You can modify the selected policy for your own environment if you need.

It's possible to set Policy Type in /etc/selinux/config file.
CentOS 6 Default Policy is "targeted" Policy.

However, if you change the Policy Type, it needs to install Policy File. For CentOS 6 Minimal, only "targeted" Policy is installed by default.

If you change to a Policy without installing Policy File, System will not start, so Be Careful.

[1]

Set Policy Type on "SELINUXTYPE=***" section.

# default is "targeted"

[root@dlp ~]#

cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# for example, change to "minimum" Policy

# install Policy File first, don't forget it

[root@dlp ~]#

yum -y install selinux-policy-minimum

# Policy File is installed under "minimum" directory

[root@dlp ~]#

ll /etc/selinux

total 24
-rw-r--r--. 1 root root  458 Jul 27 16:17 config
drwxr-xr-x. 6 root root 4096 Jul 27 17:36 minimum
-rw-r--r--. 1 root root  113 May 11 07:57 restorecond.conf
-rw-r--r--. 1 root root   76 May 11 07:57 restorecond_user.conf
-rw-r--r--. 1 root root 2271 Jul 24  2015 semanage.conf
drwxr-xr-x. 6 root root 4096 Jul 27 16:19 targeted

[root@dlp ~]#

vi /etc/selinux/config

# change "SELINUXTYPE" section

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=minimum

# restart to apply changing

[root@dlp ~]#

reboot

[root@dlp ~]#

sestatus

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        minimum     # just changed

[3]

There are 3 kinds of Policies provided with RPM Package such as examples in Configuration file.

Policy	Description
Targeted	This Policy applies Access Controls to Proccesses that they are often targeted by attacking. (Default)
Minimum	Included setting files of this Policy are the same with "Targeted" Policy but more minimum Proccesses are targeted for Access Controls than "Targeted" Policy.
MLS	Multilevel Security Policy. It implements Bell-LaPadula (BLP) model and possible to apply more complex controls.