SELinux : Operating Mode

 This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux).

It's possible to use MAC (Mandatory Access Control) feature on CentOS for various resources by SELinux.

[1]. Confirm the current status of SELinux like follows. (default mode is [Enforcing])

# display current mode

[root@dlp ~]# getenforce

Enforcing

# enforcing   ⇒  SELinux is enabled (default)

# permissive  ⇒  MAC is not enabled, but only records audit logs according to Policies

# disabled    ⇒  SELinux is disabled


# also possible to display with the command ([Current mode] line)

[root@dlp ~]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   enforcing

Mode from config file:          enforcing

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Memory protection checking:     actual (secure)

Max kernel policy version:      31

[2]. It's possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command.

But if CentOS System is restarted, the mode returns to default.

[root@dlp ~]# getenforce

Enforcing

# switch to [Permissive] with [setenforce 0]

[root@dlp ~]# setenforce 0

[root@dlp ~]# getenforce

Permissive

# switch to [Enforcing] with [setenforce 1]

[root@dlp ~]# setenforce 1

[root@dlp ~]# getenforce

Enforcing

[3]. If you'd like to change Operating Mode permanently, change value in Configuration file.

[root@dlp ~]# vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

# change value you'd like to set

SELINUX=enforcing

# SELINUXTYPE= can take one of these three values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted


# restart to apply change

[root@dlp ~]# reboot

[4]. If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too.

# set re-labeling like follows, then it will be set on next system booting

[root@dlp ~]# touch /.autorelabel

[root@dlp ~]# reboot

Comments

Popular posts from this blog

Java : Variables Declaring

SQL Self JOIN