Linux - SELinux

Permissive mode:
switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/changed is still active.

Disabled mode:
SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with.


Temporarily switch off enforcement
> echo 0 >/selinux/enforce
> newrole -r sysadm_r

Temporarily switch on enforcement
> echo 1 >/selinux/enforce

Permanently Permissive
> vi /etc/selinux/config
...
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted netwo
...
(Other thatn RedHat Linux)
> vi /boot/grub/grub.conf
...
kernel /boot/vmlinuz-2.4.20 ro root=/dev/hda1 nousb enforcing=0
...

Fully Disabling SELinux
> vi /etc/selinux/config
...
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
...
(Other thatn RedHat Linux)
> vi /boot/grub/grub.conf
...
kernel /boot/vmlinuz-2.4.20 ro root=/dev/hda1 nousb selinux=0
...

Re-Enabling SELinux
If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly.
What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot into permissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.
After booting into permissive mode, run fixfiles relabel
Alternatively, in Fedora and RedHat Enterprise Linux you can touch /.autorelabel and reboot or put autorelabel on the boot command line ( in both cases the system gets a full relabel early in the boot process ). Note that this can take quite some time for systems with a large number of files.
After relabelling the filesystem, you can switch to enforcing mode (see above) and you system should be fully enforcing again.

Comments