{"id":6708,"date":"2017-05-08T14:30:05","date_gmt":"2017-05-08T06:30:05","guid":{"rendered":"http:\/\/rmohan.com\/?p=6708"},"modified":"2017-05-08T14:30:05","modified_gmt":"2017-05-08T06:30:05","slug":"rhel-7-rhcsa-notes-set-enforcing-and-permissive-modes-for-selinux","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6708","title":{"rendered":"RHEL 7 \u2013 RHCSA Notes \u2013 Set enforcing and permissive modes for SELinux"},"content":{"rendered":"<p>SELinux modes<\/p>\n<p>SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :<\/p>\n<p>1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.<br \/>\n2. Permissive : Actions contrary to the policy are only logged in the audit log.<br \/>\n3. Disabled : The SELinux is disabled entirely.<\/p>\n<p>Configuration file<\/p>\n<p>SELinux configuration file \/etc\/selinux\/config :<\/p>\n<p># cat  \/etc\/selinux\/config<\/p>\n<p># This file controls the state of SELinux on the system.<br \/>\n# SELINUX= can take one of these three values:<br \/>\n#     enforcing &#8211; SELinux security policy is enforced.<br \/>\n#     permissive &#8211; SELinux prints warnings instead of enforcing.<br \/>\n#     disabled &#8211; No SELinux policy is loaded.<br \/>\nSELINUX=disabled<br \/>\n# SELINUXTYPE= can take one of three two values:<br \/>\n#     targeted &#8211; Targeted processes are protected,<br \/>\n#     minimum &#8211; Modification of targeted policy. Only selected processes are protected.<br \/>\n#     mls &#8211; Multi Level Security protection.<br \/>\nSELINUXTYPE=targeted<br \/>\nToggling SELinux modes (Temporarily)<\/p>\n<p>To switch between the SELinux modes temporarily we can use the setenforce command as shown below :<\/p>\n<p># setenforce [ Enforcing | Permissive | 1 | 0 ]<br \/>\n0 \u2013> Permissive<br \/>\n1 \u2013> Enforcing<\/p>\n<p>Verify the current mode of SELinux :<\/p>\n<p># getenforce<br \/>\nEnforcing<br \/>\nor we can also use the sestatus command to get a detailed status :<\/p>\n<p># sestatus<br \/>\nSELinux status:                 enabled<br \/>\nSELinuxfs mount:                \/selinux        &#8211;> virtual FS similar to \/proc<br \/>\nCurrent mode:                   enforcing       &#8211;> current mode of operation<br \/>\nMode from config file:          permissive      &#8211;> mode set in the \/etc\/sysconfig\/selinux file.<br \/>\nPolicy version:                 24<br \/>\nPolicy from config file:        targeted<br \/>\nToggling SELinux modes (Permanently) [reboot require]<\/p>\n<p>SELinux mode can be set permanently using either of below methods :<br \/>\n1. editing \/etc\/selinux\/config file<br \/>\n2. editing kernel boot options<\/p>\n<p>1. editing \/etc\/selinux\/config file<\/p>\n<p>to set SELinux to permissive, set the below line in the file \/etc\/selinux\/config to :<\/p>\n<p>vi \/etc\/selinux\/config<br \/>\n&#8230;.<br \/>\nSELINUX=permissive<br \/>\n&#8230;<br \/>\nSimilarly the mode can be set to enforcing\/disable by setting the mode in the same line.<\/p>\n<p>2. editing kernel boot options<\/p>\n<p>Edit the kernel boot line and append enforcing=0 to the kernel boot options. For example:<\/p>\n<p>title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp)<br \/>\nroot (hd0,0)<br \/>\nkernel \/vmlinuz-2.6.9-42.ELsmp ro root=LABEL=\/ rhgb quiet enforcing=0<br \/>\ninitrd \/initrd-2.6.9-42.ELsmp.img<br \/>\nReboot the server.<\/p>\n<p># shutdown -r now<br \/>\nForcing reboot on changing mode<\/p>\n<p>We can force a reboot on changing the selinux mode :<\/p>\n<p># setsebool secure_mode_policyload on<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SELinux modes<\/p>\n<p>SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6708"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6708"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6708\/revisions"}],"predecessor-version":[{"id":6709,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6708\/revisions\/6709"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}