Manage System Security

how to change SELinux mode

In this article I would cover following RHCSA exam objectives

  • How to set enforcing mode for SELinux
  • How to set permissive mode for SELinux
  • How to disable SELinux

SELinux is including in default installation of RHEL6. When you install RHEL6 SELinux is automatically installed with enforcing mode. But for exam you should know which rpm packages are required for SELinux.

For SELinux following rpm are required.

  • selinux
  • policycoreutils
  • setroubleshoot
  • selinux-policy-targeted
  • selinux-policy
  • libselinux
  • libselinux-python
  • libselinux-utils
  • policycoreutils-python
  • setroubleshoot-server
  • setroubleshoot-plugins

This article assumes that above packages are installed. If these packages are not installed, install them first. Before going further make sure you have all required packaged installed. Use the rpm -qa | grep selinux, rpm -q policycoreutils, and rpm -qa | grep setroubleshoot commands to confirm that the SELinux packages are installed.

rpm -qa | grep selinux
rpm -qa | grep policycoreutils
rpm -qa | grep setroubleshoot

check rpm

how to check that SELinux is running

To determine the current status of SELinux use sestatus command

sestatus command disabled

As suggested in the RHCSA objectives, you need to know how to “Set enforcing or permissive modes for SELinux.” There are three available modes for SELinux: enforcing, permissive, and disabled.

disabledSELinux is turned off and does not restrict any action.
permissiveIn permissive mode any SELinux security violation would be logged only, it means in permissive mode security violation would not be stopped.
enforcingIn enforcing mode any SELinux security violation would be logged and service would stop. Any action that violate SELinux rule would be denied.

Configuring SELinux

You can change the mode in which SELinux operates by changing the config file. The main config file is /etc/selinux/config.

selinux config file disabled

Before SELinux is enabled, each file on the file system must be labeled with a SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in /etc/selinux/config

open configuration file

vi etc selinux config

set mode to permissive and save file

selinux config file permissive

Now reboot the system.

reboot command

During the next boot, file systems are labeled. The label process labels all files with a SELinux context. In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode.

After reboot you could verify that system is in permissive mode

getenforce permissive

Before changing to enforcing mode run the grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot.

grep messages

If SELinux did not deny actions during the last boot, this command does not return any output.

If there were no denial messages in /var/log/messages, open /etc/selinux/config file

vi etc selinux config

configure SELINUX=enforcing in /etc/selinux/config:

selinux config file enforcing

Reboot your system.

reboot command

After reboot, confirm that the getenforce command returns Enforcing:

getenforce enforcing

or you could sestatus command

sestatus

disabling of SELinux is straightforward

open configuration file

vi etc selinux config

change the mode to disable in configuration file

selinux config file disable

reboot the system

reboot command

after reboot confirm the status

sestatus command disabled

Add comment


Security code
Refresh

Subscribe

Subscribe to our newsletter to get our latest article right in your inbox.
Subscribe confidently we do not sell or share your personal information with anyone.

Follow us on Twitter


Follow us on Google plus


Follow us on Facebook