SELinux Operating Mode

https://www.server-world.info/en/note?os=Rocky_Linux_10&p=selinux&f=1

This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux).

It’s possible to use MAC (Mandatory Access Control) feature on Rocky Linux for various resources by SELinux. [1] Confirm the current status of SELinux like follows. (default mode is [Enforcing])

display current mode

[root@dlp ~]# getenforce

Enforcing

enforcing ⇒ SELinux is enabled (default)

permissive ⇒ MAC is not enabled, but only records audit logs according to Policies

disabled ⇒ SELinux is disabled

also possible to display with the command

[root@dlp ~]# sestatus

SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33

[2] It’s possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command. But if Rocky Linux System is restarted, the mode returns to default. [root@dlp ~]# getenforce

Enforcing

switch to [Permissive] with [setenforce 0]

[root@dlp ~]# setenforce 0

[root@dlp ~]# getenforce

Permissive

switch to [Enforcing] with [setenforce 1]

[root@dlp ~]# setenforce 1

[root@dlp ~]# getenforce

Enforcing [3] If you’d like to change Operating Mode permanently, change value in Configuration file. [root@dlp ~]# vi /etc/selinux/config

This file controls the state of SELinux on the system.

SELINUX= can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

disabled - No SELinux policy is loaded.

https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes

NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also

fully disable SELinux during boot. If you need a system with SELinux

fully disabled instead of SELinux running with no policy loaded, you

need to pass selinux=0 to the kernel command line. You can use grubby

to persistently set the bootloader to boot with selinux=0:

grubby –update-kernel ALL –args selinux=0

To revert back to SELinux enabled:

grubby –update-kernel ALL –remove-args selinux

change value you’d like to set

SELINUX=enforcing

SELINUXTYPE= can take one of these three values:

targeted - Targeted processes are protected,

minimum - Modification of targeted policy. Only selected processes are protected.

mls - Multi Level Security protection.

SELINUXTYPE=targeted

restart to apply change

[root@dlp ~]# reboot [4] To disable SELinux, if you set [SELINUX=disabled] in configuration file as usual, SELinux runs with no policy loaded, however, if you’d like to fully disable it, add kernel parameter like follows.

disable SELinux

[root@localhost ~]# grubby –update-kernel ALL –args selinux=0

restart to appy changes

[root@localhost ~]# reboot

to back to enabled, set like follows (need restarting)

[root@localhost ~]# grubby –update-kernel ALL –remove-args selinux

[5] If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label the filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too.

run the command, then re-labelling will be run on next booting

[root@dlp ~]# fixfiles -F onboot

System will relabel on next boot

the file is created with the command above

[root@dlp ~]# ll /.autorelabel

-rw-r–r–. 1 root root 3 Jun 18 12:29 /.autorelabel

SELinux Operating Mode

display current mode

enforcing ⇒ SELinux is enabled (default)

permissive ⇒ MAC is not enabled, but only records audit logs according to Policies

disabled ⇒ SELinux is disabled

also possible to display with the command

switch to [Permissive] with [setenforce 0]

switch to [Enforcing] with [setenforce 1]

This file controls the state of SELinux on the system.

SELINUX= can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

disabled - No SELinux policy is loaded.

See also:

https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes

NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also

fully disable SELinux during boot. If you need a system with SELinux

fully disabled instead of SELinux running with no policy loaded, you

need to pass selinux=0 to the kernel command line. You can use grubby

to persistently set the bootloader to boot with selinux=0:

grubby –update-kernel ALL –args selinux=0

To revert back to SELinux enabled:

grubby –update-kernel ALL –remove-args selinux

change value you’d like to set

SELINUXTYPE= can take one of these three values:

targeted - Targeted processes are protected,

minimum - Modification of targeted policy. Only selected processes are protected.

mls - Multi Level Security protection.

restart to apply change

disable SELinux

restart to appy changes

to back to enabled, set like follows (need restarting)

run the command, then re-labelling will be run on next booting

the file is created with the command above