5.4. Enabling and Disabling SELinux
Use the
/usr/sbin/getenforce
or/usr/sbin/sestatus
commands to check the status of SELinux. Thegetenforce
command returnsEnforcing
,Permissive
, orDisabled
. Thegetenforce
command returnsEnforcing
when SELinux is enabled (SELinux policy rules are enforced):$ /usr/sbin/getenforce EnforcingThe
getenforce
command returnsPermissive
when SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. Thegetenforce
command returnsDisabled
if SELinux is disabled.The
sestatus
command returns the SELinux status and the SELinux policy being used:$ /usr/sbin/sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 23 Policy from config file: targeted
SELinux status: enabled
is returned when SELinux is enabled.Current mode: enforcing
is returned when SELinux is running in enforcing mode.Policy from config file: targeted
is returned when the SELinux targeted policy is used.
5.4.1. Enabling SELinux
On systems with SELinux disabled, the
SELINUX=disabled
option is configured in/etc/selinux/config
:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targetedAlso, the
getenforce
command returnsDisabled
:$ /usr/sbin/getenforce Disabled
To enable SELinux:
-
Use the
rpm -qa | grep selinux
,rpm -q policycoreutils
, andrpm -qa | grep setroubleshoot
commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils,setroubleshoot, setroubleshoot-server, setroubleshoot-plugins. If these packages are not installed, as the Linux root user, install them via theyum install
command. The following packages are optional:policycoreutils-gui, setroubleshoot, selinux-policy-devel, and mcstrans.package-name
-
Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure
SELINUX=permissive
in/etc/selinux/config
:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
-
As the Linux root user, run the
reboot
command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:*** Warning -- SELinux targeted policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. ****
Each
*
character on the bottom line represents 1000 files that have been labeled. In the above example, four*
characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes. -
In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the
grep "SELinux is preventing" /var/log/messages
command as the Linux root user to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to Chapter 7, Troubleshooting for troubleshooting information if SELinux denied access during boot. -
If there were no denial messages in
/var/log/messages
, configureSELINUX=enforcing
in/etc/selinux/config
:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
-
Reboot your system. After reboot, confirm that the
getenforce
command returnsEnforcing
:$ /usr/sbin/getenforce Enforcing
-
As the Linux root user, run the
/usr/sbin/semanage login -l
command to view the mapping between SELinux and Linux users. The output should be as follows:Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the SELinux-user
warnings if they occur, where username
is already definedusername
can beunconfined_u
, guest_u
, or xguest_u
:
-
/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
-
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
-
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
-
/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
- /usr/sbin/semanage user -a -S targeted -P user -R xguest_r xguest_u
5.4.2. Disabling SELinux
注:本文來自:http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.htmlTo disable SELinux, configure
SELINUX=disabled
in/etc/selinux/config
:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targetedReboot your system. After reboot, confirm that the
getenforce
command returnsDisabled
:$ /usr/sbin/getenforce Disabled