Manage System Security

This article explains how set SELinux in enforcing mode and in permissive mode including how to disable SELinux in detail with examples.

SELinux is including in default installation of RHEL6. When you install RHEL6 SELinux is automatically installed with enforcing mode. But for exam you should know which rpm packages are required for SELinux.

For SELinux following rpm are required.

  • selinux
  • policycoreutils
  • setroubleshoot
  • selinux-policy-targeted
  • selinux-policy
  • libselinux
  • libselinux-python
  • libselinux-utils
  • policycoreutils-python
  • setroubleshoot-server
  • setroubleshoot-plugins

This article assumes that above packages are installed. If these packages are not installed, install them first. Before going further make sure you have all required packaged installed. Use the rpm -qa | grep selinux, rpm -q policycoreutils, and rpm -qa | grep setroubleshoot commands to confirm that the SELinux packages are installed.

rpm -qa | grep selinux
rpm -qa | grep policycoreutils
rpm -qa | grep setroubleshoot

check rpm

how to check that SELinux is running

To determine the current status of SELinux use sestatus command

sestatus command disabled

As suggested in the RHCSA objectives, you need to know how to “Set enforcing or permissive modes for SELinux.” There are three available modes for SELinux: enforcing, permissive, and disabled.

disabledSELinux is turned off and does not restrict any action.
permissiveIn permissive mode any SELinux security violation would be logged only, it means in permissive mode security violation would not be stopped.
enforcingIn enforcing mode any SELinux security violation would be logged and service would stop. Any action that violate SELinux rule would be denied.

Configuring SELinux

You can change the mode in which SELinux operates by changing the config file. The main config file is /etc/selinux/config.

selinux config file disabled

Before SELinux is enabled, each file on the file system must be labeled with a SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in /etc/selinux/config

open configuration file

vi etc selinux config

set mode to permissive and save file

selinux config file permissive

Now reboot the system.

reboot command

During the next boot, file systems are labeled. The label process labels all files with a SELinux context. In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode.

After reboot you could verify that system is in permissive mode

getenforce permissive

Before changing to enforcing mode run the grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot.

grep messages

If SELinux did not deny actions during the last boot, this command does not return any output.

If there were no denial messages in /var/log/messages, open /etc/selinux/config file

vi etc selinux config

configure SELINUX=enforcing in /etc/selinux/config:

selinux config file enforcing

Reboot your system.

reboot command

After reboot, confirm that the getenforce command returns Enforcing:

getenforce enforcing

or you could sestatus command


disabling of SELinux is straightforward

open configuration file

vi etc selinux config

change the mode to disable in configuration file

selinux config file disable

reboot the system

reboot command

after reboot confirm the status

sestatus command disabled