Manage System Security

how to change SELinux mode

In this article I would cover following RHCSA exam objectives

  • How to set enforcing mode for SELinux
  • How to set permissive mode for SELinux
  • How to disable SELinux

SELinux is including in default installation of RHEL6. When you install RHEL6 SELinux is automatically installed with enforcing mode. But for exam you should know which rpm packages are required for SELinux.

For SELinux following rpm are required.

  • selinux
  • policycoreutils
  • setroubleshoot
  • selinux-policy-targeted
  • selinux-policy
  • libselinux
  • libselinux-python
  • libselinux-utils
  • policycoreutils-python
  • setroubleshoot-server
  • setroubleshoot-plugins

This article assumes that above packages are installed. If these packages are not installed, install them first. Before going further make sure you have all required packaged installed. Use the rpm -qa | grep selinux, rpm -q policycoreutils, and rpm -qa | grep setroubleshoot commands to confirm that the SELinux packages are installed.

rpm -qa | grep selinux
rpm -qa | grep policycoreutils
rpm -qa | grep setroubleshoot

check rpm

how to check that SELinux is running

To determine the current status of SELinux use sestatus command

sestatus command disabled

As suggested in the RHCSA objectives, you need to know how to “Set enforcing or permissive modes for SELinux.” There are three available modes for SELinux: enforcing, permissive, and disabled.

disabled SELinux is turned off and does not restrict any action.
permissive In permissive mode any SELinux security violation would be logged only, it means in permissive mode security violation would not be stopped.
enforcing In enforcing mode any SELinux security violation would be logged and service would stop. Any action that violate SELinux rule would be denied.

Configuring SELinux

You can change the mode in which SELinux operates by changing the config file. The main config file is /etc/selinux/config.

selinux config file disabled

Before SELinux is enabled, each file on the file system must be labeled with a SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in /etc/selinux/config

open configuration file

vi etc selinux config

set mode to permissive and save file

selinux config file permissive

Now reboot the system.

reboot command

During the next boot, file systems are labeled. The label process labels all files with a SELinux context. In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode.

After reboot you could verify that system is in permissive mode

getenforce permissive

Before changing to enforcing mode run the grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot.

grep messages

If SELinux did not deny actions during the last boot, this command does not return any output.

If there were no denial messages in /var/log/messages, open /etc/selinux/config file

vi etc selinux config

configure SELINUX=enforcing in /etc/selinux/config:

selinux config file enforcing

Reboot your system.

reboot command

After reboot, confirm that the getenforce command returns Enforcing:

getenforce enforcing

or you could sestatus command

sestatus

disabling of SELinux is straightforward

open configuration file

vi etc selinux config

change the mode to disable in configuration file

selinux config file disable

reboot the system

reboot command

after reboot confirm the status

sestatus command disabled

Written by Admin

Add comment


Security code
Refresh

Follow us

Contact us

Write for us

We are always on the lookout for new talent and ideas. We provide you a platform to share your ideas and knowledge with the world while developing a name for yourself as an expert in your field. We encourage you to learn more and submit a article!

Advertise With us

Reach millions of global audience including network administrator and system admin. Advertising on ComputerNetworkingNotes.com will allow your company to tap into one of the largest online communities of computer networking.

Report an issue

We greatly appreciate our visitors helping us to find issues with the site. we will investigate your report and use the information you provide to improve our site.

Other reason

We love to hear from you! Regardless of the type of feedback, we are always ready to assist you.