Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Security: Set Enforcing & Permissive Modes for SELinux
SELinux (Security-enhanced Linux) is a powerful security mechanism that provides mandatory access controls for Linux systems. One of the key aspects of SELinux is its enforcement state (modes), which determines how SELinux policies are applied. Understanding the different states of SELinux, (Enforcing, Permissive, and Disabled) is crucial for managing and configuring SELinux on a Linux system.
Enforcing
The Enforcing state is the default and recommended state for SELinux. In this state, SELinux actively enforces its policies by denying or allowing access to system resources based on defined rules. When an action violates an SELinux policy, it generates an audit log entry and denies the action. The Enforcing state provides the highest level of security and protection against unauthorized access or malicious activities. It is designed to prevent policy violations and enforce strict access controls on the system.
Permissive
The Permissive state is a less strict mode of SELinux operation. In this state, SELinux continues to enforce policies but does not block actions that violate the policies. Instead, it generates audit log entries for policy violations, allowing system administrators to identify and investigate potential security issues. The Permissive state is useful for troubleshooting and debugging SELinux-related problems as it provides valuable information without interrupting normal system operation. It allows you to review the audit logs and make necessary adjustments to SELinux policies before transitioning to the Enforcing state.
Disabled
The Disabled state completely disables SELinux on the system. When SELinux is disabled, it does not enforce any policies or generate audit log entries. Disabling SELinux is generally not recommended from a security perspective, as it removes the additional layer of access control and protection provided by SELinux. However, there may be scenarios where disabling SELinux is necessary due to compatibility issues or specific application requirements. It is important to carefully consider the security implications before deciding to disable SELinux.
Managing Enforcement Modes
The setenforce and getenforce commands are used to manage and retrieve the SELinux enforcement mode. The setenforce command allows you to change the SELinux enforcement mode at runtime, while the getenforce command retrieves the current enforcement mode.
To set enforcing mode to enforcing you would run: sudo setenforce 1
To set enforcing mode to permissive you would run: sudo setenforce 0
If SELinux is disabled you will not be able to use the setenforce command. To switch between enforcing or permissive modes you must have had the SELinux configuration file set to enforcing or permissive during reboot.
Where the setenforce command can change modes at runtime, the configuration file /etc/selinux/config contains the configuration option to set the SELinux mode at boot time. This configuration option is the SELINUX variable which can be set 3 ways:
- SELINUX=enforcing
- SELINUX=permissive
- SELINUX=disabled
The following exercise will get you managing SELinux modes:
Changing SELinux modes:
Determine the current SELinux mode.
getenforce
The default mode is Enforcing so unless you have changed this since installation, the command should of returned:
Enforcing
Change the runtime SELinux mode to Permissive:
sudo setenforce 0
Confirm the runtime change was made successfully:
getenforce
Command output will now return:
Permissive
Set SELinux mode to be Permissive on boot. The sed command swaps the line starting with the SELINUX variable with SELINUX=permissive:
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
Reboot the system:
sudo reboot
Confirm the SELinux mode is Permissive following the reboot:
getforce
Command output should return:
Permissive
Set SELinux mode back to Enforcing on boot:
sudo sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
Reboot the system:
sudo reboot
Confirm the SELinux mode is Permissive following the reboot:
getforce
Command output should return:
Enforcing
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.