5.4. Enabling and Disabling SELinux

Use the /usr/sbin/getenforce or /usr/sbin/sestatus commands to check the status of SELinux. Thegetenforce command returns Enforcing, Permissive, or Disabled. The getenforce command returnsEnforcing when SELinux is enabled (SELinux policy rules are enforced):

$ /usr/sbin/getenforce

Enforcing

The getenforce command returns Permissive when SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. The getenforce command returns Disabled if SELinux is disabled.

The sestatus command returns the SELinux status and the SELinux policy being used:

$ /usr/sbin/sestatus

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   enforcing

Mode from config file:          enforcing

Policy version:                 23

Policy from config file:        targeted

SELinux status: enabled is returned when SELinux is enabled. Current mode: enforcing is returned when SELinux is running in enforcing mode. Policy from config file: targeted is returned when the SELinux targeted policy is used.

5.4.1. Enabling SELinux

On systems with SELinux disabled, the SELINUX=disabled option is configured in /etc/selinux/config:

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - No SELinux policy is loaded.

SELINUX=disabled

# SELINUXTYPE= can take one of these two values:

#       targeted - Targeted processes are protected,

#       mls - Multi Level Security protection.

SELINUXTYPE=targeted

Also, the getenforce command returns Disabled:

$ /usr/sbin/getenforce

Disabled

To enable SELinux:

  1. Use the rpm -qa | grep selinux, rpm -q policycoreutils, and rpm -qa | grep setroubleshootcommands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils,setroubleshoot, setroubleshoot-server, setroubleshoot-plugins. If these packages are not installed, as the Linux root user, install them via the yum install package-name command. The following packages are optional:policycoreutils-gui, setroubleshoot, selinux-policy-devel, and mcstrans.

  2. Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in /etc/selinux/config:

    # This file controls the state of SELinux on the system.
    
# SELINUX= can take one of these three values:
    
#       enforcing - SELinux security policy is enforced.
    
#       permissive - SELinux prints warnings instead of enforcing.
    
#       disabled - No SELinux policy is loaded.
    
SELINUX=permissive
    
# SELINUXTYPE= can take one of these two values:
    
#       targeted - Targeted processes are protected,
    
#       mls - Multi Level Security protection.
    
SELINUXTYPE=targeted

  3. As the Linux root user, run the reboot command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:

    *** Warning -- SELinux targeted policy relabel is required.
    
*** Relabeling could take a very long time, depending on file
    
*** system size and speed of hard drives.
    
****

    Each * character on the bottom line represents 1000 files that have been labeled. In the above example, four* characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.

  4. In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run thegrep "SELinux is preventing" /var/log/messages command as the Linux root user to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to Chapter 7, Troubleshooting for troubleshooting information if SELinux denied access during boot.

  5. If there were no denial messages in /var/log/messages, configure SELINUX=enforcing in/etc/selinux/config:

    # This file controls the state of SELinux on the system.
    
# SELINUX= can take one of these three values:
    
#       enforcing - SELinux security policy is enforced.
    
#       permissive - SELinux prints warnings instead of enforcing.
    
#       disabled - No SELinux policy is loaded.
    
SELINUX=enforcing
    
# SELINUXTYPE= can take one of these two values:
    
#       targeted - Targeted processes are protected,
    
#       mls - Multi Level Security protection.
    
SELINUXTYPE=targeted

  6. Reboot your system. After reboot, confirm that the getenforce command returns Enforcing:

    $ /usr/sbin/getenforce
    
Enforcing

  7. As the Linux root user, run the /usr/sbin/semanage login -l command to view the mapping between SELinux and Linux users. The output should be as follows:

    Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
    
root                      unconfined_u              s0-s0:c0.c1023
    
system_u                  system_u                  s0-s0:c0.c1023

If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the SELinux-user username is already defined warnings if they occur, where username can beunconfined_u, guest_u, or xguest_u:

  • /usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
  • /usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
  • /usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
  • /usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
  • /usr/sbin/semanage user -a -S targeted -P user -R xguest_r xguest_u

  • 5.4.2. Disabling SELinux

    To disable SELinux, configure SELINUX=disabled in /etc/selinux/config:

    # This file controls the state of SELinux on the system.
    
# SELINUX= can take one of these three values:
    
#       enforcing - SELinux security policy is enforced.
    
#       permissive - SELinux prints warnings instead of enforcing.
    
#       disabled - No SELinux policy is loaded.
    
SELINUX=disabled
    
# SELINUXTYPE= can take one of these two values:
    
#       targeted - Targeted processes are protected,
    
#       mls - Multi Level Security protection.
    
SELINUXTYPE=targeted

    Reboot your system. After reboot, confirm that the getenforce command returns Disabled:

    $ /usr/sbin/getenforce
    
Disabled

    注:本文来自:http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html

    • centos:开启和关闭selinux的更多相关文章

    1. CentOS 7.X 关闭SELinux

      1.查看 [root@dev-server ~]# getenforce Disabled [root@dev-server ~]# /usr/sbin/sestatus -v SELinux sta ...

    2. centos 6.X 关闭selinux

      SELinux(Security-Enhanced Linux) 是美国国家安全局(NSA)对于强制访问控制的实现,是 Linux历史上最杰出的新安全子系统.在这种访问控制体系的限制下,进程只能访问那 ...

    3. CentOS开启和关闭防火墙

      CentOS Linux开启和关闭防火墙命令有两种,一种是临时的,重启即复原:另外一种是永久性的,重启不会复原.   1) 临时生效,重启后复原 开启: service iptables start ...

    4. Centos 7.6关闭selinux

      查看selinux状态 [root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SE ...

    5. Linux下开启关闭SeLinux

      SELinux (Security-Enhanced Linux) in Fedora is an implementation of mandatory access control in the ...

    6. 查看/关闭SElinux (原创帖,转载请注明出处)

      查看SELinux状态: 1   /usr/sbin/sestatus -v | grep "SELinux status:" ##如果SELinux status参数为enabl ...

    7. centos7防火墙以设置以及关闭selinux

      一.CentOS 7.X 关闭SELinux 1.查看 getenforce permissive 或者 enforcing模式 2.临时设置 setenforce 1 成为permissive模式 ...

    8. 查看SELinux状态及关闭SELinux

      查看SELinux状态: 输入:/usr/sbin/sestatus -v SELinux status: enabled           ##开启状态 关闭SELinux 修改vi /etc/s ...

    9. centos 7.0 查看selinux状态|关闭|开启

      Linux在安装好之后通常SELinux都是出于默认开启的状态,开启的情况下会导致一些服务的安装不成功. 在不需要的情况下完全可以关闭掉,下面是在centos 7.0里面如何查看,关闭selinux. ...

    随机推荐

    1. webservice jaxws header验证

      @WebService @HandlerChain public class UserService { ... } package com.xx.ws.header; import org.w3c. ...

    2. Mybatis-Generator自动生成Dao、Model、Mapping等相关映射文件(懒人版)

      今天在学习mybatis生成相关的映射文件的时候,发现了往期的生成Dao.Model.Mapping等文章多数都是一样的,我也在学着重复造轮子,不过是懒人造的.本文旨在解决开发过程,简化配置文件的“手 ...

    3. zoj1004-Anagrams by Stack 【栈 dfs】

      http://acm.zju.edu.cn/onlinejudge/showProblem.do?problemId=4 Anagrams by Stack Time Limit: 2 Seconds ...

    4. np.random.randn()、np.random.rand()、np.random.randint()

      (1)np.random.randn()函数 语法: np.random.randn(d0,d1,d2……dn) 1)当函数括号内没有参数时,则返回一个浮点数: 2)当函数括号内有一个参数时,则返回秩 ...

    5. Educational Codeforces Round 59

      B. Digital root 题意: 题目定义了x的digital root是S(x).S(5)=5,S(38)=S(3+8=11)=S(1+1+2)=2. 有n个询问,每次询问给出ki和xi,要你 ...

    6. mysql基本的增删改查和条件语句

      增 insert into 表名(列名,列名......) values("test1",23),("test2",23),("test3" ...

    7. mysql索引提高查询速度

      使用索引提高查询速度 1.前言 在web开发中,业务模版,业务逻辑(包括缓存.连接池)和数据库这三个部分,数据库在其中负责执行SQL查询并返回查询结果,是影响网站速度最重要的性能瓶颈.本文主要针对My ...

    8. 一定要 先删除 sc表 中的 某元组 行,,, 再删除 course表中的 元组行

      一定要  先删除 sc表 中的  某元组   行,,, 再删除  course表中的  元组行 course表 SC表 删除  course表中的  元组行,,出现错误 sc    ---->参 ...

    9. 洛谷 P2986 [USACO10MAR]伟大的奶牛聚集(树形动规)

      题目描述 Bessie is planning the annual Great Cow Gathering for cows all across the country and, of cours ...

    10. maven使用感受

      第一次接触的时候,什么都不懂,感觉好复杂. 后来系统地看了一个使用教程: 简单评价一下: 自动帮我们下载jar架包,还有就是可以执行命令自己部署到远程服务器上面去. 缺点: 学习成本.一般人不了解.第 ...