SELinux modes
SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :
1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Actions contrary to the policy are only logged in the audit log.
3. Disabled : The SELinux is disabled entirely.
Toggling the SELinux modes temporarily
To switch between the SELinux modes temporarily we can use the setenforce command as shown below :
# setenforce [ Enforcing | Permissive | 1 | 0 ]
0 –> Permissive
1 –> Enforcing
Or you can simply echo the values into the pseudo file – /sys/fs/selinux/enforce or /selinux/enforce.
# echo [0|1] > /sys/fs/selinux/enforce
To check the current mode of SELinux :
# getenforce Enforcing
or we can also use the sestatus command to get a detailed status :
# sestatus SELinux status: enabled SELinuxfs mount: /selinux --> virtual FS similar to /proc Current mode: enforcing --> current mode of operation Mode from config file: permissive --> mode set in the /etc/sysconfig/selinux file. Policy version: 24 Policy from config file: targeted
Changing SELinux modes Permanently
Using the /etc/sysconfig/selinux file
One way of changing the SELinux mode permanently to either of Enforcing or Permissive is – to edit the /etc/sysconfig/selinux file and set SELINUX parameters value to either enforcing or permissive.
# ls -l /etc/sysconfig/selinux lrwxrwxrwx. 1 root root 17 Mar 2 13:03 /etc/sysconfig/selinux -> ../selinux/config
# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Edit this file and take a reboot of the system for the changes to take effect.
Using the Kernel boot parameters
We can also use the Kernel boot parameter at boot to set the SELinux mode. For this edit the /etc/grub.conf file and add the option “selinux=1 enforcing=[0|1]” to the boot parameters.
# cat /etc/grub.conf ........ root (hd0,0) kernel /vmlinuz-2.6.32-279.el6.x86_64 root=/dev/md3 selinux=1 enforcing=0 initrd /initramfs-2.6.32-279.el6.x86_64.img .........
selinux=1 –> Enable the SELinux
enforcing=0 –> Permissive mode
enforcing=1 –> Enforcing mode
Disabling SELinux
Sometimes when you are not well acquainted with SELinux functionalities, it is better to disable it. We can not disable the SELinux without a reboot. An alternative option would be – to set SELinux in Permissive mode. To completely disable SELinux edit the configuration file /etc/sysconfig/selinux or the /etc/selinux/config which is a soft link to /etc/sysconfig/selinux file.
# ls -l /etc/sysconfig/selinux lrwxrwxrwx. 1 root root 17 Mar 2 13:03 /etc/sysconfig/selinux -> ../selinux/config
# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Edit this file and take a reboot of the system for the changes to take effect.
Using Kernel boot parameters to disable SELinux
Another way of permanently disabling the SELinux is to edit the kernel boot parameters. Edit the /etc/grub.conf file and add the selinux=0 option to the booting option to disable SELinux at the booting. In this case the settings in /etc/sysconfig/selinux are ignored.
# cat /etc/grub.conf ........ root (hd0,0) kernel /vmlinuz-2.6.32-279.el6.x86_64 root=/dev/md3 selinux=0 initrd /initramfs-2.6.32-279.el6.x86_64.img .........