LTS

    Innovation Version

      SELinux Configuration

      Overview

      Discretionary access control (DAC) determines whether a resource can be accessed based on users, groups, and other permissions. It does not allow the system administrator to create comprehensive and fine-grained security policies. SELinux (Security-Enhanced Linux) is a module of the Linux kernel and a security subsystem of Linux. SELinux implements mandatory access control (MAC). Each process and system resource has a special security label. In addition to the principles specified by the DAC, the SELinux needs to determine whether each type of process has the permission to access a type of resource.

      By default, openEuler uses SELinux to improve system security. SELinux has three modes:

      • permissive: The SELinux outputs alarms but does not forcibly execute the security policies.
      • enforcing: The SELinux security policies are forcibly executed.
      • disabled: The SELinux security policies are not loaded.

      Configuration Description

      SELinux is enabled for openEuler by default and the default mode is enforcing. You can change the SELinux mode by changing the value of SELINUX in /etc/selinux/config.

      • To disable the SELinux policy, run the following command:

        SELINUX=disabled
        
      • To use the permissive policy, run the following command:

        SELINUX=permissive
        

      NOTE:
      When you switch between the disabled mode and the other mode, you need to restart the system for the switch to take effect.

      # reboot  
      

      SELinux Commands

      • Query the SELinux mode. For example, the following shows that the SELinux mode is permissive.

        # getenforce
        Permissive
        
      • Set the SELinux mode. 0 indicates the permissive mode, and 1 indicates the enforcing mode. For example, run the following command to set the SELinux mode to enforcing. This command cannot be used to set the disabled mode. After the system is restarted, the mode set in /etc/selinux/config is restored.

        # setenforce 1
        
      • Query the SELinux status. SELinux status indicates the SELinux status. enabled indicates that SELinux is enabled, and disabled indicates that SELinux is disabled. Current mode indicates the current mode of the SELinux.

        # sestatus
        SELinux status:                 enabled
        SELinuxfs mount:                /sys/fs/selinux
        SELinux root directory:         /etc/selinux
        Loaded policy name:             targeted
        Current mode:                   enforcing
        Mode from config file:          enforcing
        Policy MLS status:              enabled
        Policy deny_unknown status:     allowed
        Memory protection checking:     actual (secure)
        Max kernel policy version:      31
        

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份