Note
Procedure 10.24. Enabling SELinux MLS Policy
~]#
yum install selinux-policy-mls
SELINUX=permissive
in the /etc/selinux/config
file. Also, enable the MLS policy by configuring SELINUXTYPE=mls
. Your configuration file should look like this:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=mls
~]#
setenforce 0
~]$
getenforce
Permissive
.autorelabel
file in root's home directory to ensure that files are relabeled upon next reboot:
~]#
touch /.autorelabel
-F
option to this file. This can be done by executing the following command:
~]#
echo "-F" >> /.autorelabel
*** Warning -- SELinux mls policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. ***********
*
(asterisk) character on the bottom line represents 1000 files that have been labeled. In the above example, eleven *
characters represent 11000 files which have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes. Once the labeling process finishes, the system will automatically reboot.
~]#
grep "SELinux is preventing" /var/log/messages
/var/log/messages
file, or you have resolved all existing denials, configure SELINUX=enforcing
in the /etc/selinux/config
file:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=mls
~]$
getenforce
Enforcing
~]#
sestatus |grep mls
Policy from config file: mls