getenforce
or sestatus
commands to check the status of SELinux. The getenforce
command returns Enforcing
, Permissive
, or Disabled
.
sestatus
command returns the SELinux status and the SELinux policy being used:
~]$
sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Important
dracut
utility has to be run to put SELinux awareness into the initramfs file system. Failing to do so causes SELinux not to start during system startup.
SELINUX=disabled
option is configured in /etc/selinux/config
:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
getenforce
command returns Disabled
:
~]$
getenforce
Disabled
Procedure 10.8. Enabling SELinux
rpm
utility:
~]$
rpm -qa | grep selinux
selinux-policy-3.12.1-136.el7.noarch libselinux-2.2.2-4.el7.x86_64 selinux-policy-targeted-3.12.1-136.el7.noarch libselinux-utils-2.2.2-4.el7.x86_64 libselinux-python-2.2.2-4.el7.x86_64
~]$
rpm -qa | grep policycoreutils
policycoreutils-2.2.5-6.el7.x86_64 policycoreutils-python-2.2.5-6.el7.x86_64
~]$
rpm -qa | grep setroubleshoot
setroubleshoot-server-3.2.17-2.el7.x86_64 setroubleshoot-3.2.17-2.el7.x86_64 setroubleshoot-plugins-3.0.58-2.el7.noarch
yum
utility as root to install them:
~]#
yum install package_name
SELINUX=permissive
in the /etc/selinux/config
file:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
~]#
reboot
*** Warning -- SELinux targeted policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. ****
*
(asterisk) character on the bottom line represents 1000 files that have been labeled. In the above example, four *
characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
~]#
grep "SELinux is preventing" /var/log/messages
/var/log/messages
file, configure SELINUX=enforcing
in /etc/selinux/config
:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
getenforce
returns Enforcing
:
~]$
getenforce
Enforcing
~]#
semanage login -l
Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
SELinux-user username is already defined
warnings if they occur, where username can be unconfined_u
, guest_u
, or xguest_u
:
Procedure 10.9. Fixing User Mappings
~]#
semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
~]#
semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
~]#
semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
~]#
semanage user -a -S targeted -P user -R guest_r guest_u
~]#
semanage user -a -S targeted -P user -R xguest_r xguest_u
Important