Sunday 31 January 2016

How to Enable/Disable SELinux in RHEL 7

Security Enhanced  Linux (SELinux)  is an additional  layer of system  security. A  primary  goal of
SELinux  is to  protect  user data from  system services that have been compromised. Most Linux
administrators  are familiar with the standard  user/group/other permission security model. SELinux provides an additional  layer of security that  is object-based and controlled by more  sophisticated  rules, known as mandatory  access  control.

Check the status of SELinux  

[root@rhel7 ~]# getenforce
Enforcing
or
[root@rhel7 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@rhel7 ~]#

Check SELinux context of file

Many  commands that  deal with  files have an option (usually  -Z) to display or set SELinux 
contexts.  For  instance, ps, ls, cp, and mkdir all use the  -Z option to display or set SELinux 
contexts.

[root@rhel7 ~]# ls -l /tmp
total 0
-rw-r--r--. 1 root root  0 Jan 31 15:20 abc
drwx------. 2 root root 23 Jan 31 12:53 ssh-I5w8qAMyFP0V
drwx------. 3 root root 16 Jan  5 10:19 systemd-private-0sxVjO
drwx------. 3 root root 16 Dec 20 12:18 systemd-private-5se4Ud
drwx------. 3 root root 16 Dec 21 18:16 systemd-private-8LmQlv


[root@rhel7 ~]# ls -lZ /tmp

-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 abc
drwx------. root root unconfined_u:object_r:user_tmp_t:s0 ssh-I5w8qAMyFP0V
drwx------. root root system_u:object_r:tmp_t:s0       systemd-private-0sxVjO
drwx------. root root system_u:object_r:tmp_t:s0       systemd-private-5se4Ud
drwx------. root root system_u:object_r:tmp_t:s0       systemd-private-8LmQlv

SELinux Modes 

SELinux can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

In  Enforcing mode,  SELinux actively denies access to  the web server attempting to  read  files with tmp_t type context.  In enforcing mode, SELinux both  logs and protects.

Permissive mode  is often  used to troubleshoot  issues.  In  permissive mode, SELinux allows  all
interactions, even  if there  is no explicit  rule,  and  it  logs those  interactions  it would have  denied
in enforcing mode. This mode can  be used to temporarily al low access  to content that  SELinux  is
restricting. No  reboot  is required to go from enforcing to  permissive or back  again.

A  third mode,  Disabled,  completely disables SELinux. A  system  reboot  is  required to disable
SELinux entirely,  or to get from disabled mode to enforcing or permissive mode.

Changing SELinux Mode

[root@rhel7 ~]# getenforce
Enforcing
[root@rhel7 ~]# setenforce
usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@rhel7 ~]# setenforce 0
[root@rhel7 ~]# getenforce
Permissive

[root@rhel7 ~]# setenforce 1
[root@rhel7 ~]# getenforce
Enforcing

Setting the default SELinux mode

The configuration file that determines what the SELinux mode is at  boot time is /etc/selinux/config. Notice that it contains some useful comments.  /etc/sysconfig/selinux  file is  a  symbolic link that points to /etc/selinux/config


[root@rhel7 ~]# cd /etc/selinux/
[root@rhel7 selinux]# ll
total 12
-rw-r--r--. 1 root root  547 Dec 20 16:58 config
-rw-r--r--. 1 root root 2321 Jan 26  2014 semanage.conf
drwxr-xr-x. 6 root root 4096 Dec 20 17:05 targeted
[root@rhel7 selinux]# cd /etc/sysconfig/
[root@rhel7 sysconfig]# ls -lrt selinux
lrwxrwxrwx. 1 root root 17 Dec 20 16:58 selinux -> ../selinux/config
[root@rhel7 sysconfig]#

To change SELinux mode from Enforcing or Permissive to Disabled

[root@rhel7 sysconfig]# vim /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing  ---> changed to disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.

SELINUXTYPE=targeted

Now Reboot the OS to disable all policy














No comments:

Post a Comment