Home
Products
Red Hat Enterprise Linux
5
Deployment Guide
49.6.4. Enabling MLS in SELinux

49.6.4. Enabling MLS in SELinux

Note

It is not recommended to use the MLS policy on a system that is running the X Window System.

Follow these steps to enable the SELinux MLS policy on your system.

Install the selinux-policy-mls package:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# yum install selinux-policy-mls
```
```
~]# yum install selinux-policy-mls
```

Before the MLS policy is enabled, each file on the file system must be relabeled with an MLS label. When the file system is relabeled, confined domains may be denied access, which may prevent your system from booting correctly. To prevent this from happening, configure SELINUX=permissive in the /etc/selinux/config file. Also, enable the MLS policy by configuring SELINUXTYPE=mls. Your configuration file should look like this:

Copy to Clipboard Toggle word wrap

This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
    enforcing - SELinux security policy is enforced.
    permissive - SELinux prints warnings instead of enforcing.
    disabled - No SELinux policy is loaded.
SELINUXTYPE= can take one of these two values:
    targeted - Targeted processes are protected,
    minimum - Modification of targeted policy. Only selected processes are protected.
    mls - Multi Level Security protection.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=mls

Make sure SELinux is running in the permissive mode:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# setenforce 0
~]# getenforce
Permissive
```
```
~]# setenforce 0
~]# getenforce
Permissive
```
Create the .autorelabel file in root's home directory to ensure that files are relabeled upon next reboot:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# touch /.autorelabel
```
```
~]# touch /.autorelabel
```
Reboot your system. During the next boot, all file systems will be relabeled according to the MLS policy. The label process labels all files with an appropriate SELinux context:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
*** Warning -- SELinux mls policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
***********
```
```
*** Warning -- SELinux mls policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
***********
```
Each * (asterisk) character on the bottom line represents 1000 files that have been labeled. In the above example, eleven * characters represent 11000 files which have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes. Once the labeling process finishes, the system will automatically reboot.
Once the file system is relabeled, execute the following commands to assure that the /root directory and all other home directories are properly labeled:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# genhomedircon
~]# restorecon -R -v /root /home <other_home_directories>
```
```
~]# genhomedircon
~]# restorecon -R -v /root /home <other_home_directories>
```
In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output.

If there were no denial messages in /var/log/messages, or you have resolved all existing denials, configure SELINUX=enforcing in the /etc/selinux/config file:

Copy to Clipboard Toggle word wrap

This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
    enforcing - SELinux security policy is enforced.
    permissive - SELinux prints warnings instead of enforcing.
    disabled - No SELinux policy is loaded.
SELINUXTYPE= can take one of these two values:
    targeted - Targeted processes are protected,
    minimum - Modification of targeted policy. Only selected processes are protected.
    mls - Multi Level Security protection.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=mls

Reboot your system and make sure SELinux is running in permissive mode:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]$ getenforce
Enforcing
```
```
~]$ getenforce
Enforcing
```
and the MLS policy is enabled:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# sestatus |grep mls
Policy from config file:        mls
```
```
~]# sestatus |grep mls
Policy from config file:        mls
```

49.6.4. Enabling MLS in SELinux

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links