Product SiteDocumentation Site

4.4. Enabling and Disabling SELinux

Use the getenforce or sestatus commands to check the status of SELinux. The getenforce command returns Enforcing, Permissive, or Disabled.
The sestatus command returns the SELinux status and the SELinux policy being used:
~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

4.4.1. Enabling SELinux

Important

If the system was initially installed without SELinux, particularly the selinux-policy package, which was added to the system later, one additional step is necessary to enable SELinux. To make sure SELinux is initialized during system startup, the dracut utility has to be run to put SELinux awareness into the initramfs file system. Failing to do so causes SELinux not to start during system startup.
On systems with SELinux disabled, the SELINUX=disabled option is configured in /etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
Also, the getenforce command returns Disabled:
~]$ getenforce
Disabled
Following procedure shows how to enable SELinux:
Procedure 4.2. Enabling SELinux
  1. This guide assumes that the following packages are installed:
    • selinux-policy-targeted
    • selinux-policy
    • libselinux
    • libselinux-python
    • libselinux-utils
    • policycoreutils
    • policycoreutils-python
    • setroubleshoot
    • setroubleshoot-server
    • setroubleshoot-plugins
    To confirm that the aforementioned packages are installed, use the rpm utility:
    ~]$ rpm -qa | grep selinux
    selinux-policy-3.12.1-136.el7.noarch
    libselinux-2.2.2-4.el7.x86_64
    selinux-policy-targeted-3.12.1-136.el7.noarch
    libselinux-utils-2.2.2-4.el7.x86_64
    libselinux-python-2.2.2-4.el7.x86_64
    
    ~]$ rpm -qa | grep policycoreutils
    policycoreutils-2.2.5-6.el7.x86_64
    policycoreutils-python-2.2.5-6.el7.x86_64
    
    ~]$ rpm -qa | grep setroubleshoot
    setroubleshoot-server-3.2.17-2.el7.x86_64
    setroubleshoot-3.2.17-2.el7.x86_64
    setroubleshoot-plugins-3.0.58-2.el7.noarch
    
    If they are not installed, use the DNF utility as root to install them:
    ~]# dnf install package_name
    The following packages are optional:
    • policycoreutils-gui
    • setroubleshoot
    • mcstrans
  2. Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in the /etc/selinux/config file:
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #       enforcing - SELinux security policy is enforced.
    #       permissive - SELinux prints warnings instead of enforcing.
    #       disabled - No SELinux policy is loaded.
    SELINUX=permissive
    # SELINUXTYPE= can take one of these two values:
    #       targeted - Targeted processes are protected,
    #       mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    
  3. As root, restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:
    ~]# reboot
    *** Warning -- SELinux targeted policy relabel is required.
    *** Relabeling could take a very long time, depending on file
    *** system size and speed of hard drives.
    ****
    
    Each * (asterisk) character on the bottom line represents 1000 files that have been labeled. In the above example, four * characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
  4. In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as root, run the following command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. See Chapter 10, Troubleshooting for troubleshooting information if SELinux denied access during boot.
    ~]# grep "SELinux is preventing" /var/log/messages
  5. If there were no denial messages in the /var/log/messages file, configure SELINUX=enforcing in /etc/selinux/config:
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #       enforcing - SELinux security policy is enforced.
    #       permissive - SELinux prints warnings instead of enforcing.
    #       disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these two values:
    #       targeted - Targeted processes are protected,
    #       mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    
  6. Reboot your system. After reboot, confirm that getenforce returns Enforcing:
    ~]$ getenforce
    Enforcing
    
  7. As root, run the following command to view the mapping between SELinux and Linux users. The output should be as follows:
    ~]# semanage login -l
    
    Login Name           SELinux User         MLS/MCS Range        Service
    
    __default__          unconfined_u         s0-s0:c0.c1023       *
    root                 unconfined_u         s0-s0:c0.c1023       *
    system_u             system_u             s0-s0:c0.c1023       *
    
If this is not the case, run the following commands as root to fix the user mappings. It is safe to ignore the SELinux-user username is already defined warnings if they occur, where username can be unconfined_u, guest_u, or xguest_u:
Procedure 4.3. Fixing User Mappings
  1. ~]# semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
  2. ~]# semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
  3. ~]# semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
  4. ~]# semanage user -a -S targeted -P user -R guest_r guest_u
  5. ~]# semanage user -a -S targeted -P user -R xguest_r xguest_u

Important

When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly. Also, files created while SELinux is disabled are not labeled. This causes problems when changing to enforcing mode. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from disabled mode to permissive or enforcing mode.