SELinux Configuration

Overview

Discretionary Access Control (DAC) is the most common access control method, where a subject who has the ownership of (or control on) an object can grant other subjects one or more access permissions to the object, and can revoke these permissions at any time. DAC is based on the permissions of the object owner, owner group, and other users. Whether a resource can be accessed depends on whether a user has the required permissions on the resource. As a result, DAC does not allow the system administrator to create comprehensive and fine-grained security policies. Security-Enhanced Linux (SELinux) is a module of the Linux kernel and a security subsystem of Linux. SELinux implements mandatory access control (MAC). Each process and system resource has a special security label. In addition to the principles specified by DAC, SELinux also determines whether each process type has the permission to access a resource type. In this way, the system administrator can create comprehensive and fine-grained security policies.

By default, openEuler uses SELinux to improve system security. SELinux has three modes:

permissive: The SELinux outputs alarms but does not forcibly execute the security policies.
enforcing: The SELinux security policies are forcibly executed.
disabled: The SELinux security policies are not loaded.

Configuration Description

Query the SELinux status.
```
$ getenforce
Enforcing
```
Use the enforcing mode when SELinux is enabled.
```
$ setenforce 1
$ getenforce
Enforcing
```
Use the permissive mode when SELinux is enabled.
```
$ setenforce 0
$ getenforce
Permissive
```
Disable SELinux when it is enabled. (The system needs to be rebooted.)
1. Set SELINUX=disabled in the SELinux configuration file /etc/selinux/config.
```
$ cat /etc/selinux/config | grep "SELINUX="
SELINUX=disabled
```
2. Reboot the system.
```
reboot
```
3. Check if the SELinux status is changed.
```
$ getenforce
Disabled
```
Use the permissive mode when SELinux is disabled.
1. Set SELINUX=permissive in the SELinux configuration file /etc/selinux/config.
```
$ cat /etc/selinux/config | grep "SELINUX="
SELINUX=permissive
```
2. Create a .autorelabel file in the root directory.
```
touch /.autorelabel
```
3. Reboot the system. The system will reboot twice.
```
reboot
```
4. Check if the SELinux status is changed.
```
$ getenforce
Permissive
```
Use the enforcing mode when SELinux is disabled.
1. Use the permissive mode by referring to the previous step.
2. Set SELINUX=enforcing in the SELinux configuration file /etc/selinux/config.
```
$ cat /etc/selinux/config | grep "SELINUX="
SELINUX=enforcing
```
3. Reboot the system.
```
reboot
```
4. Check if the SELinux status is changed.
```
$ getenforce
Enforcing
```

SELinux Commands

Query the SELinux status. SELinux status indicates the SELinux status. enabled indicates that SELinux is enabled, and disabled indicates that SELinux is disabled. Current mode indicates the current mode of the SELinux.

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Precautions

Before enabling SELinux, you are advised to upgrade selinux-policy to the latest version using DNF. Otherwise, applications may fail to run properly. For example:

dnf update selinux-policy -y

If the system cannot be started due to improper SELinux configuration (for example, a policy is deleted by mistake or no proper rule or security context is configured), you can add selinux=0 to the startup parameters to disable SELinux.

Bug Catching

Buggy Content

Bug Description

Submit As Issue

It's a little complicated....

I'd like to ask someone.

Just a small problem.

I can fix it online!

Bug Type

Specifications and Common Mistakes

● Misspellings or punctuation mistakes;

● Incorrect links, empty cells, or wrong formats;

● Chinese characters in English context;

● Minor inconsistencies between the UI and descriptions;

● Low writing fluency that does not affect understanding;

● Incorrect version numbers, including software package names and version numbers on the UI.

Usability

● Incorrect or missing key steps;

● Missing prerequisites or precautions;

● Ambiguous figures, tables, or texts;

● Unclear logic, such as missing classifications, items, and steps.

Correctness

● Technical principles, function descriptions, or specifications inconsistent with those of the software;

● Incorrect schematic or architecture diagrams;

● Incorrect commands or command parameters;

● Incorrect code;

● Commands inconsistent with the functions;

● Wrong screenshots.

Risk Warnings

● Lack of risk warnings for operations that may damage the system or important data.

Content Compliance

● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

● Copyright infringement.

We may contact you through email in regard to the bug fixing solution. You will also be notified through email if you win any prize during the activity.

How satisfied are you with this document

Not satisfied at all

Very satisfied

By submitting the contents, you fully understand and agree to the terms of the openEuler Privacy Statement.

Submit

Click to create an issue. An issue template will be automatically generated based on your feedback.