Changing SELinux states and modes

    As discussed in Introduction to SELinux, SELinux can be enabled or disabled. When enabled, SELinux has two modes: enforcing and permissive.

    Use the or sestatus commands to check in which mode SELinux is running. The getenforce command returns Enforcing, Permissive, or Disabled.

    The sestatus command returns the SELinux status and the SELinux policy being used:

    When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.

    While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure.

    Prerequisites

    • The selinux-policy-targeted, selinux-policy, libselinux-utils, and grubby packages are installed. To check that a particular package is installed:

      1. $ rpm -q package_name

    Procedure

    1. If your system has SELinux disabled at the kernel level (this is the recommended way, see ), change this first. Check if you have the selinux=0 option in your kernel command line:

      1. $ cat /proc/cmdline
      2. BOOT_IMAGE=... ... selinux=0

      1. Remove the selinux=0 option from the bootloader configuration using grubby:

        1. $ sudo grubby --update-kernel ALL --remove-args selinux

      2. The change applies after you restart the system in one of the following steps.

    2. Ensure the file system is relabeled on the next boot:

      1. $ sudo fixfiles onboot

    3. Enable SELinux in permissive mode. For more information, see Changing to permissive mode.

    4. Restart your system:

      1. $ reboot

    5. Check for SELinux denial messages.

    • Run your application in the unconfined_service_t domain.

    • Write a new policy for your application. See the chapter in the RHEL 8 Using SELinux document for more information.

    When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements. Each AVC is logged only once in this case.

    Procedure

    To permanently change mode to permissive:

    1. Edit the /etc/selinux/config file as follows:

      2. # SELINUX= can take one of these three values:
      3. #       enforcing - SELinux security policy is enforced.
      4. #       permissive - SELinux prints warnings instead of enforcing.
      5. #       disabled - No SELinux policy is loaded.
      6. SELINUX=permissive
      7. # SELINUXTYPE= can take one of these two values:
      8. #       targeted - Targeted processes are protected,
      9. #       mls - Multi Level Security protection.
      10. SELINUXTYPE=targeted

    2. Restart the system:

      1. $ reboot

    Changing to enforcing mode

    When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.

    Procedure

    1. Check the current SELinux mode by using the getenforce command:

      1. $ getenforce
      2. Permissive

      If the command displays Disabled, then follow Enabling SELinux. If it displays Permissive, use the following steps to change mode to enforcing again:

    2. Edit the /etc/selinux/config file as follows:

      1. # This file controls the state of SELinux on the system.
      2. #       enforcing - SELinux security policy is enforced.
      3. #       permissive - SELinux prints warnings instead of enforcing.
      4. #       disabled - No SELinux policy is loaded.
      6. # SELINUXTYPE= can take one of these two values:
      7. #       targeted - Targeted processes are protected,
      8. #       mls - Multi Level Security protection.
      9. SELINUXTYPE=targeted

    3. Restart the system:

      1. $ reboot

      On the next boot, SELinux relabels all files and directories in the system and adds the SELinux context for files and directories that were created when SELinux was disabled.

    Prerequisites

    • The grubby package is installed:

      1. $ rpm -q grubby
      2. grubby-version

    Procedure

    To permanently disable SELinux:

    1. Configure your bootloader to add selinux=0 to the kernel command line:

      1. $ sudo grubby --update-kernel ALL --args selinux=0

    2. Restart your system:

      1. $ reboot

    Verification step

    • After reboot, confirm that the getenforce command returns Disabled:

      1. $ getenforce

    On boot, you can set several kernel parameters to change the way SELinux runs:

    enforcing=0

    Setting this parameter causes the machine to boot in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is too corrupted. Moreover, in permissive mode the system continues to create the labels correctly. The AVC messages that are created in this mode can be different than in enforcing mode. In permissive mode, only the first denial is reported. However, in enforcing mode you might get a denial on reading a directory and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition.

    selinux=0

    This parameter causes the kernel to not load any part of the SELinux infrastructure. The init scripts notice that the system booted with the selinux=0 parameter and touch the /.autorelabel file. This causes the system to automatically relabel the next time you boot with SELinux enabled.

    autorelabel=1

    This parameter forces the system to relabel similarly to the following commands:

    For additional SELinux-related kernel boot parameters, such as checkreqprot, see the file. This file is available in the source package of your Linux kernel (.src.rpm). To download the source package containing the currently used kernel:

    1. ~]# dnf download --source kernel