SELinux Configuration
Overview
Discretionary Access Control (DAC) is the most common access control method, where a subject who has the ownership of (or control on) an object can grant other subjects one or more access permissions to the object, and can revoke these permissions at any time. DAC is based on the permissions of the object owner, owner group, and other users. Whether a resource can be accessed depends on whether a user has the required permissions on the resource. As a result, DAC does not allow the system administrator to create comprehensive and fine-grained security policies. Security-Enhanced Linux (SELinux) is a module of the Linux kernel and a security subsystem of Linux. SELinux implements mandatory access control (MAC). Each process and system resource has a special security label. In addition to the principles specified by DAC, SELinux also determines whether each process type has the permission to access a resource type. In this way, the system administrator can create comprehensive and fine-grained security policies.
By default, openEuler uses SELinux to improve system security. SELinux has three modes:
- permissive: The SELinux outputs alarms but does not forcibly execute the security policies.
- enforcing: The SELinux security policies are forcibly executed.
- disabled: The SELinux security policies are not loaded.
Configuration Description
Query the SELinux status.
$ getenforce Enforcing
Use the enforcing mode when SELinux is enabled.
$ setenforce 1 $ getenforce Enforcing
Use the permissive mode when SELinux is enabled.
$ setenforce 0 $ getenforce Permissive
Disable SELinux when it is enabled. (The system needs to be rebooted.)
Set SELINUX=disabled in the SELinux configuration file /etc/selinux/config.
$ cat /etc/selinux/config | grep "SELINUX=" SELINUX=disabled
Reboot the system.
reboot
Check if the SELinux status is changed.
$ getenforce Disabled
Use the permissive mode when SELinux is disabled.
Set SELINUX=permissive in the SELinux configuration file /etc/selinux/config.
$ cat /etc/selinux/config | grep "SELINUX=" SELINUX=permissive
Create a .autorelabel file in the root directory.
touch /.autorelabel
Reboot the system. The system will reboot twice.
reboot
Check if the SELinux status is changed.
$ getenforce Permissive
Use the enforcing mode when SELinux is disabled.
Use the permissive mode by referring to the previous step.
Set SELINUX=enforcing in the SELinux configuration file /etc/selinux/config.
$ cat /etc/selinux/config | grep "SELINUX=" SELINUX=enforcing
Reboot the system.
reboot
Check if the SELinux status is changed.
$ getenforce Enforcing
SELinux Commands
Query the SELinux status. SELinux status indicates the SELinux status. enabled indicates that SELinux is enabled, and disabled indicates that SELinux is disabled. Current mode indicates the current mode of the SELinux.
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33
Precautions
- Before enabling SELinux, you are advised to upgrade selinux-policy to the latest version using DNF. Otherwise, applications may fail to run properly. For example:
dnf update selinux-policy -y
- If the system cannot be started due to improper SELinux configuration (for example, a policy is deleted by mistake or no proper rule or security context is configured), you can add selinux=0 to the startup parameters to disable SELinux.