Security Enhanced Linux (SELinux) is an additional layer of system security. A primary goal of
SELinux is to protect user data from system services that have been compromised. Most Linux
administrators are familiar with the standard user/group/other permission security model. SELinux provides an additional layer of security that is object-based and controlled by more sophisticated rules, known as mandatory access control.
Check the status of SELinux
[root@rhel7 ~]# getenforce
Enforcing
or
[root@rhel7 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@rhel7 ~]#
SELinux can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
In Enforcing mode, SELinux actively denies access to the web server attempting to read files with tmp_t type context. In enforcing mode, SELinux both logs and protects.
Permissive mode is often used to troubleshoot issues. In permissive mode, SELinux allows all
interactions, even if there is no explicit rule, and it logs those interactions it would have denied
in enforcing mode. This mode can be used to temporarily al low access to content that SELinux is
restricting. No reboot is required to go from enforcing to permissive or back again.
A third mode, Disabled, completely disables SELinux. A system reboot is required to disable
SELinux entirely, or to get from disabled mode to enforcing or permissive mode.
Changing SELinux Mode
[root@rhel7 ~]# getenforce
Enforcing
[root@rhel7 ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@rhel7 ~]# setenforce 0
[root@rhel7 ~]# getenforce
Permissive
[root@rhel7 ~]# setenforce 1
[root@rhel7 ~]# getenforce
Enforcing
Setting the default SELinux mode
The configuration file that determines what the SELinux mode is at boot time is /etc/selinux/config. Notice that it contains some useful comments. /etc/sysconfig/selinux file is a symbolic link that points to /etc/selinux/config
[root@rhel7 ~]# cd /etc/selinux/
[root@rhel7 selinux]# ll
total 12
-rw-r--r--. 1 root root 547 Dec 20 16:58 config
-rw-r--r--. 1 root root 2321 Jan 26 2014 semanage.conf
drwxr-xr-x. 6 root root 4096 Dec 20 17:05 targeted
[root@rhel7 selinux]# cd /etc/sysconfig/
[root@rhel7 sysconfig]# ls -lrt selinux
lrwxrwxrwx. 1 root root 17 Dec 20 16:58 selinux -> ../selinux/config
[root@rhel7 sysconfig]#
To change SELinux mode from Enforcing or Permissive to Disabled
[root@rhel7 sysconfig]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing ---> changed to disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Now Reboot the OS to disable all policy
SELinux is to protect user data from system services that have been compromised. Most Linux
administrators are familiar with the standard user/group/other permission security model. SELinux provides an additional layer of security that is object-based and controlled by more sophisticated rules, known as mandatory access control.
Check the status of SELinux
[root@rhel7 ~]# getenforce
Enforcing
or
[root@rhel7 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@rhel7 ~]#
Check SELinux context of file
Many commands that deal with files have an option (usually -Z) to display or set SELinux
contexts. For instance, ps, ls, cp, and mkdir all use the -Z option to display or set SELinux
contexts.
[root@rhel7 ~]# ls -l /tmp
total 0
-rw-r--r--. 1 root root 0 Jan 31 15:20 abc
drwx------. 2 root root 23 Jan 31 12:53 ssh-I5w8qAMyFP0V
drwx------. 3 root root 16 Jan 5 10:19 systemd-private-0sxVjO
drwx------. 3 root root 16 Dec 20 12:18 systemd-private-5se4Ud
drwx------. 3 root root 16 Dec 21 18:16 systemd-private-8LmQlv
[root@rhel7 ~]# ls -lZ /tmp
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 abc
drwx------. root root unconfined_u:object_r:user_tmp_t:s0 ssh-I5w8qAMyFP0V
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-0sxVjO
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-5se4Ud
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-8LmQlv
SELinux Modes
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
In Enforcing mode, SELinux actively denies access to the web server attempting to read files with tmp_t type context. In enforcing mode, SELinux both logs and protects.
Permissive mode is often used to troubleshoot issues. In permissive mode, SELinux allows all
interactions, even if there is no explicit rule, and it logs those interactions it would have denied
in enforcing mode. This mode can be used to temporarily al low access to content that SELinux is
restricting. No reboot is required to go from enforcing to permissive or back again.
A third mode, Disabled, completely disables SELinux. A system reboot is required to disable
SELinux entirely, or to get from disabled mode to enforcing or permissive mode.
Changing SELinux Mode
[root@rhel7 ~]# getenforce
Enforcing
[root@rhel7 ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@rhel7 ~]# setenforce 0
[root@rhel7 ~]# getenforce
Permissive
[root@rhel7 ~]# setenforce 1
[root@rhel7 ~]# getenforce
Enforcing
The configuration file that determines what the SELinux mode is at boot time is /etc/selinux/config. Notice that it contains some useful comments. /etc/sysconfig/selinux file is a symbolic link that points to /etc/selinux/config
[root@rhel7 ~]# cd /etc/selinux/
[root@rhel7 selinux]# ll
total 12
-rw-r--r--. 1 root root 547 Dec 20 16:58 config
-rw-r--r--. 1 root root 2321 Jan 26 2014 semanage.conf
drwxr-xr-x. 6 root root 4096 Dec 20 17:05 targeted
[root@rhel7 selinux]# cd /etc/sysconfig/
[root@rhel7 sysconfig]# ls -lrt selinux
lrwxrwxrwx. 1 root root 17 Dec 20 16:58 selinux -> ../selinux/config
[root@rhel7 sysconfig]#
To change SELinux mode from Enforcing or Permissive to Disabled
[root@rhel7 sysconfig]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing ---> changed to disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
