Set enforcing and permissive modes for SELinux

SELinux modes

SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :
1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Actions contrary to the policy are only logged in the audit log.
3. Disabled : The SELinux is disabled entirely.

Configuration file

SELinux configuration file /etc/selinux/config :
# cat  /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.

Toggling SELinux modes (Temporarily)

To switch between the SELinux modes temporarily we can use the setenforce command as shown below :
# setenforce [ Enforcing | Permissive | 1 | 0 ]
0 –> Permissive
1 –> Enforcing
Verify the current mode of SELinux :
# getenforce
or we can also use the sestatus command to get a detailed status :
# sestatus
SELinux status:                 enabled         
SELinuxfs mount:                /selinux        --> virtual FS similar to /proc
Current mode:                   enforcing       --> current mode of operation 
Mode from config file:          permissive      --> mode set in the /etc/sysconfig/selinux file.
Policy version:                 24
Policy from config file:        targeted

Toggling SELinux modes (Permanently) [reboot require]

SELinux mode can be set permanently using either of below methods :
1. editing /etc/selinux/config file
2. editing kernel boot options

1. editing /etc/selinux/config file

to set SELinux to permissive, set the below line in the file /etc/selinux/config to :
vi /etc/selinux/config
Similarly the mode can be set to enforcing/disable by setting the mode in the same line.

2. editing kernel boot options

Edit the kernel boot line and append enforcing=0 to the kernel boot options. For example:
title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet enforcing=0
initrd /initrd-2.6.9-42.ELsmp.img
Reboot the server.
# shutdown -r now

Forcing reboot on changing mode

We can force a reboot on changing the selinux mode :

# setsebool secure_mode_policyload on


Post a Comment