4.4. Permanent Changes in SELinux States and Modes
As discussed in Section 1.4, “SELinux States and Modes”, SELinux can be enabled or disabled. When enabled, SELinux has two modes: enforcing and permissive.
Use the
getenforce
or sestatus
commands to check in which mode SELinux is running. The getenforce
command returns Enforcing
, Permissive
, or Disabled
.
The
sestatus
command returns the SELinux status and the SELinux policy being used:
~]$
sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30
Note
When systems run SELinux in permissive mode, users are able to label files incorrectly. Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode.
4.4.1. Enabling SELinux
When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.
While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, Red Hat recommends to follow this procedure:
- Enable SELinux in permissive mode. For more information, see Section 4.4.1.1, “Permissive Mode”.
- Reboot your system.
- Check for SELinux denial messages. For more information, see Section 11.3.5, “Searching For and Viewing Denials”.
- If there are no denials, switch to enforcing mode. For more information, see Section 4.4.1.2, “Enforcing Mode”.
To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:
- Run your application in the
unconfined_service_t
domain. See Section 3.2, “Unconfined Processes” for more information. - Write a new policy for your application. See the Writing Custom SELinux Policy Knowledgebase article for more information.
4.4.1.1. Permissive Mode
When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements. Each AVC is logged only once in this case.
To permanently change mode to permissive, follow the procedure below:
Procedure 4.2. Changing to Permissive Mode
- Edit the
/etc/selinux/config
file as follows:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
- Reboot the system:
~]#
reboot
4.4.1.2. Enforcing Mode
When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Red Hat Enterprise Linux, enforcing mode is enabled by default when the system was initially installed with SELinux.
If SELinux was disabled, follow the procedure below to change mode to enforcing again:
Procedure 4.3. Changing to Enforcing Mode
This procedure assumes that the selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils, and policycoreutils-python packages are installed. To verify that the packages are installed, use the following command:
rpm -q package_name
- Edit the
/etc/selinux/config
file as follows:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
- Reboot the system:
~]#
reboot
On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled.
Note
After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies, enter the following command as root:
~]# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
Alternatively, with the setroubleshoot-server package installed, enter the following command as root:
~]# grep "SELinux is preventing" /var/log/messages
If SELinux denies some actions, see Chapter 11, Troubleshooting for information about troubleshooting.
Temporary changes in modes are covered in Section 1.4, “SELinux States and Modes”.
4.4.2. Disabling SELinux
When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in Section 1.1, “Benefits of running SELinux” are lost.
Important
Red Hat strongly recommends to use permissive mode instead of permanently disabling SELinux. See Section 4.4.1.1, “Permissive Mode” for more information about permissive mode.
To permanently disable SELinux, follow the procedure below:
Procedure 4.4. Disabling SELinux
- Configure
SELINUX=disabled
in the/etc/selinux/config
file:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
- Reboot your system. After reboot, confirm that the
getenforce
command returnsDisabled
:~]$
getenforce
Disabled