Understanding SELinux modes: disabled, enabled, enforcing, permissive

We continue the story about Selinux. In the previous article, we revealed some of the onsite jobs for beginners. Now we will consider SELinux modes.

SELinux is either enabled or disabled in a system. When enabled, it operates in either of the following modes:

  • Enforcing: SELinux effectively monitors and controls security policies. In RHEL/CentOS, this mode is enabled by default.
  • Permissive: Security policies are actively monitored without enforcing access control. Policy violations are logged in /var/log/messages.

When SELinux is disabled, security policies are neither monitored nor enforced.

 The following command retrieves the current status of SELinux on the system:

sestatus

The output is as follows:

Getting the current status of SELinux

Figure 12 – Getting the current status of SELinux

When SELinux is enabled, the following command retrieves the current mode:

getenforce

In permissive mode, we get the following output:

Getting the current mode of SELinux

Figure 13 – Getting the current mode of SELinux

To change from enforcing to permissive mode, we can run the following command:

sudo setenforce 0

The getenforce command will display Permissive in this case. To switch back into enforcing mode, we can run the following command:

sudo setenforce 1

The SELinux mode can also be set by editing the SELINUX value in /etc/selinux/config. The possible values are documented in the configuration file.

Important note

Manually editing the SELinux configuration file requires a system reboot for the changes to take effect.

With SELinux enabled, a system administrator may choose between the following SELinux policy levels by modifying the SELINUXTYPE value in /etc/selinux/config: targeted, minimum, and mls. The corresponding values are documented in the configuration file.

Important note

The default SELinux policy setting is targeted, and it's generally recommended not to change this setting, except for mls.

With the targeted policy in place, only processes that are specifically configured to use SELinux security policies run in a confined (or restricted) domain. Such processes usually include system daemons (such as dhcpd and sshd) and well-known server applications (such as Apache and PostgreSQL). All other (non-targeted) processes run unrestricted and are usually labeled with the unconfined_t domain type.

To completely disable SELinux, we can edit the /etc/selinux/config file using a text editor of our choice (such as sudo nano /etc/selinux/config) and make the following change:

SELINUX=disabled

Alternatively, we can run the following command to change the SELinux mode from enforcing to disabled:

sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

We can retrieve the current configuration with the following command:

cat /etc/selinux/config

With SELinux disabled, we get the following output:

Disabling SELinux

Figure 14 – Disabling SELinux

We need to reboot the system for the changes to take effect:

sudo systemctl reboot

Next, let's examine how access control decisions are made by introducing SELinux contexts.

How to disable SELinux: video

Вас заинтересует / Intresting for you:

Understanding SELinux contexts...
Understanding SELinux contexts... 485 views Zero Cool Tue, 10 Aug 2021, 18:06:33
Working with SELinux: basics i...
Working with SELinux: basics i... 209 views Zero Cool Sat, 17 Jul 2021, 11:19:54
Troubleshooting SELinux issues
Troubleshooting SELinux issues 423 views Zero Cool Wed, 21 Jul 2021, 19:22:08
Fail2ban and Nginx: block unwa...
Fail2ban and Nginx: block unwa... 123 views Игорь Воронов Thu, 07 Oct 2021, 10:25:45
Log in to comment