SELinux : Operating Mode
This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux).
It's possible to use MAC (Mandatory Access Control) feature on CentOS for various resources by SELinux.
[1]. Confirm the current status of SELinux like follows. (default mode is [Enforcing])
# display current mode
[root@dlp ~]# getenforce
Enforcing
# enforcing ⇒ SELinux is enabled (default)
# permissive ⇒ MAC is not enabled, but only records audit logs according to Policies
# disabled ⇒ SELinux is disabled
# also possible to display with the command ([Current mode] line)
[root@dlp ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
[2]. It's possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command.
But if CentOS System is restarted, the mode returns to default.
[root@dlp ~]# getenforce
Enforcing
# switch to [Permissive] with [setenforce 0]
[root@dlp ~]# setenforce 0
[root@dlp ~]# getenforce
Permissive
# switch to [Enforcing] with [setenforce 1]
[root@dlp ~]# setenforce 1
[root@dlp ~]# getenforce
Enforcing
[3]. If you'd like to change Operating Mode permanently, change value in Configuration file.
[root@dlp ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# change value you'd like to set
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# restart to apply change
[root@dlp ~]# reboot
[4]. If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too.
# set re-labeling like follows, then it will be set on next system booting
[root@dlp ~]# touch /.autorelabel
[root@dlp ~]# reboot
Comments
Post a Comment