Overview
By the end of this article you should be able to answer the following questions:
– Disabled
– Permissive
– Enforcing
$ getenforce
# or
$ sestatus
$ sestatus
/etc/selinux/config
# the reboot the machine
$ setenforce enforcing
$ setenforce permissive
# edit the /etc/selinux/config
Trick question, you can’t do it on the command line, you have to edit /etc/selinux/config and then reboot the machine.
SELinux can be disabled, or running in either “passive” (i.e. permissive) or enforcing (i.e. active) modes. So before you can start understanding/using SELinux, you need to understand these modes when to use them.
SELinux Modes
SELinux can run in three different operational modes:
- Disabled – In this mode, SELinux is switched off. In practice this means that none of the linux objects are labelled, i.e. they don’t have a security context, and consequently the policy type is not being used for anything. In this situation the only active security layers are the DAC type security layers, e.g. ugo+rwx.
- Permissive – In this mode, all objects are labelled and a Policy type is being used. However it will only monitor and write SELinux breaches to log files rather than deny access of any object interacting with another object. This log file is located at
/var/log/audit/audit.log
. In other words SELinux is observing but not blocking anything at all. This means that the log files would show what SELinux would have blocked if it was in enforcing mode. - enforcing – This does all the same thing as permissive mode, and at also actively deny access when there is a breach.
To see which SELinux mode is currently in use, we use the getenforce command:
$ whatis getenforce getenforce (8) - get the current mode of SELinux $ getenforce Permissive
Alternatively we can use the sestatus command:
$ whatis sestatus sestatus (8) - SELinux status tool $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing # this is the mode machine will boot into Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
To switch from permissive mode to enforcing, or vice versa, we can use the setenforce command:
$ whatis setenforce setenforce (8) - modify the mode SELinux is running in $ getenforce Permissive $ setenforce enforcing $ getenforce Enforcing
Changing the mode using setenforce will not survive a reboot, as indicated by the sestatus command:
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
So to make the change permenant, we edit the following file:
$ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Note: we will cover SELINUXTYPE later.
Disabling SELinux
You can’t use the setenforce command for switching to/away-from the disabled mode. Instead that is done by editing the /etc/selinux/config
file, and then rebooting the machine.
While in disabled mode, any objects that are created won’t automatically get labelled. Here’s an example of what happends
$ cat /etc/selinux/config | grep "^SELINUX=" SELINUX=disabled # then reboot the machine, after which we then do: $ getenforce Disabled $ ls -lZ Disabled-testfile.txt -rw-r--r-- root root ? Disabled-testfile.txt
The “?” indicates that this object does not have an SELinux context.
Also when you switch from disabled to permissive/enabled mode, then the reboot can take longer. That’s because SELinux scans the whole machine searching for any unlabelled objects (like the one above) and sets a label for them. So that we end up with something like:
$ getenforce Permissive $ ls -lZ Disabled-testfile.txt -rw-r--r--. root root system_u:object_r:admin_home_t:s0 Disabled-testfile.txt
You can also switch SELinux modes by passing in a grub parameter during boot time. you set enforcing=0
for permissive, and enforcing=1
for enforcing.
Note: at the end of of rhcsa exam you need to always ensure that the machine is left in enforcing mode, unless instructed otherwise.