Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy, and streamlines the amount of software involved with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA).
Ideally, you want to keep SELinux in enforcing mode, but there may be times when you need to set it to the permissive mode or disable it altogether. Note that the disabled state means the daemon is still running and is still enforcing rules for discretionary access control, however, no MAC security policies are being used, and no violations are being logged.
To use SELinux on CentOS or Fedora, you must use the distribution-supplied upstream kernel (as opposed to the Linode-supplied kernel, which does not support SELinux). All recently-created Linodes run an upstream kernel by default. Review the How to Change your Linode’s Kernel guide for more information on upstream kernels, the Linode kernel, and how to switch between them.
View the current enforcement mode of SELinux on your system using sestatus. You can see below that SELinux is set to permissive mode.
[root@centos ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Change to enforcing mode using setenforce. This will be for the current runtime session only. You’ll need to edit the SELinux configuration file if you want the setting to survive a reboot.
setenforce 0 # Set to permissive mode. setenforce 1 # Set to enforcing mode.
Edit the SELinux configuration file so your mode change will survive reboots. The sed command below is given as an example and will switch from permissive to enforcing mode. For a different mode configuration, just substitute the two words in the command with the mode you currently have, and the one you want to enable (ex. disabled to permissive).
sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config
If you prefer to edit the file manually, it should look like this:
/etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Reboot your Linode. During the bootup process, SELinux may need to run a relabeling of the filesystem. It will handle this automatically and when it’s done, it’ll reboot the system. If you do not have Lassie enabled, the Linode will shut down and you will need to manually reboot in the Linode Manager.
SELinux filesystem relabel
When your Linode boots back up, log in and verify that SELinux is now running in the new enforcement mode. Run sestatus again. The output should show that you’re in the mode you set in steps 2 and 3 above.
[root@centos ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Tips and tricks
You have successfully learned how to change SELINUX Modes. If you want to learn more about SELINUX checkout these documentations
If you want a server with CentOS or Fedora operating system, get started now with VPSie and get one month for free.
This tutorial is to help you based on this original tutorial https://www.linode.com/docs/quick-answers/linux/how-to-change-selinux-modes/ please use our tutorial for notes and tips.