SELinux on RHEL 7.5
Hi, I would like to know if there is anything I need to do to setup SELinux on RHEL 7.5 for home use? Thanks! :)
Responses
Guru
9710 points
Hi GD,
No, there's nothing special to set up, after the installation of the system SELinux is already enabled and configured out-of-the-box. :)
$ sudo cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Regards,
Christian
That is right. However, to view current mode of SELinux, you could run 'sestatus' command.
[root@rhel77 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
So, this file '/etc/selinux/config' would be read only when a system is rebooted or powered on. However, the SELinux policy could be changed from 'enforcing' to 'permissive' and vice-versa using 'setenforce ' ('setenforce 0' to set permissive mode and 'setenforce 1' to set enforcing mode) on the fly which doesn't need a reboot. However, to go from either 'permissive/enforcing' mode to 'disabled' a system reboot is required, and same holds good when going from 'disabled' mode to 'permissive/enforcing', which would need changes in configuration file. The 'getenforce' could give the status if it is 'enforcing' or 'permissive' mode, which is the same result as when 'sestatus' command is ran where it is displayed as 'current mode'.
At core when SELinux is set to 'enforcing' mode it would not allow any process to access a file/directory/port which doesn't abide to SELinux context rule and any such events gets recorded. However, in 'permissive' mode it would allow access and logs those events.
There is much more to this and what I said is only an introduction, please refer this for more details https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index
Guru
9710 points
Thanks for your additional explanation, Sadashiva. :) Generally I recommend to keep the default settings (enforcing). Only when something important doesn't work as expected, I would temporarily disable it via sudo setenforce 0, and re-enable it afterwards with sudo setenforce 1. So, I'd advise GD (and all other users) to leave /etc/selinux/config untouched in order to keep the system in a continuously safe state. Also I want to stress that once one has disabled SELinux completely, a re-labeling of the whole file system is required after SELinux got re-enabled again.
Regards,
Christian
Guru
9710 points
That's a good decision, GD - I am having the same experience. I never had to turn off SELinux, not on my fedora workstation production system and not on CentOS or on RHEL. FYI, one of the exceptions where you temporarily would need to turn off SELinux is, when you run a LXC/LXD system container, that doesn't work with SELinux enabled.
Regards,
Christian
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.