Cambiando los estados y modos de SELinux
This page has been converted from the Fedora Project Wiki and cleaned up for publishing here on the Fedora Docs Portal, but it has not yet been reviewed for technical accuracy. This means any information on this page may be outdated or inaccurate. Reviews for technical accuracy are greatly appreciated. If you want to help, see the README file in the source repository for instructions. |
Permanent changes in SELinux states and modes
As discussed in Introduction to SELinux, SELinux can be enabled or disabled. When enabled, SELinux has two modes: enforcing and permissive.
Use the getenforce
or sestatus
commands to check in which mode SELinux is running. The getenforce
command returns Enforcing
, Permissive
, or Disabled
.
The sestatus
command returns the SELinux status and the SELinux policy being used:
~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
When systems run SELinux in permissive mode, users are able to label files incorrectly. Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. |
Habilitando SELinux
Cuando está habilitado, SELinux puede correr en uno de estos dos modos: hacer cumplir o permisiv. Las siguientes secciones muestran como cambiar permanentemente entre estos modos.
Mientras habilita SELinux sobre sistemas que previamente lo tenían deshabilitado, para evitar problemas como sistemas que sean incapaces de arrancar o fallos en procesos, siga este procedimiento.
-
Están instalados los paquetes
selinux-policy-targeted
,selinux-policy
,libselinux-utils
ygrubby
. Para comprobar que un paquete concreto está instalado:$ rpm -q package_name
-
Si su sistema tiene SELinux deshabilitado a nivel de kernel (esta es la manera recomendada, vea [selinux-deshabilitado-selinux]), cambie esto primero. Compruebe si tiene la opción
selinux=0
en la línea de comando de kernel:$ cat /proc/cmdline BOOT_IMAGE=... ... selinux=0
-
Quite la opción
selinux=0
de la configuración del cargador de arranque usandogrubby
:$ sudo grubby --update-kernel ALL --remove-args selinux
-
The change applies after you restart the system in one of the following steps.
-
-
Ensure the file system is relabeled on the next boot:
$ sudo fixfiles onboot
-
Enable SELinux in permissive mode. For more information, see Changing to permissive mode.
-
Restart your system:
$ reboot
-
Check for SELinux denial messages.
$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
-
If there are no denials, switch to enforcing mode. For more information, see selinux-changing-to-enforcing-mode.
To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:
-
Run your application in the
unconfined_service_t
domain. -
Write a new policy for your application. See the Writing a custom SELinux policy chapter in the RHEL 8 Using SELinux document for more information.
Changing to permissive mode
When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements. Each AVC is logged only once in this case.
To permanently change mode to permissive:
-
Edit the
/etc/selinux/config
file as follows:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
-
Restart the system:
$ reboot
Cambiando el modo de aplicación
Cuando SELinux está corriendo en modo de aplicación, hace cumplir la política SELinux y deniega el acceso según las reglas de la política SELinux. En Fedora, el modo de aplicación está habilitado de forma predeterminada cuando el sistema se ha instalado inicialmente con SELinux.
-
Comprueba el modo de SELinux usando el comando
getenforce
:$ getenforce Permissive
If the command displays
Disabled
, then follow Habilitando SELinux. If it displaysPermissive
, use the following steps to change mode to enforcing again: -
Edit the
/etc/selinux/config
file as follows:# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
-
Restart the system:
$ reboot
On the next boot, SELinux relabels all files and directories in the system and adds the SELinux context for files and directories that were created when SELinux was disabled.
After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies: $ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent Alternatively, with the $ sudo sealert -a /var/log/audit/audit.log If SELinux denies some actions, see the Troubleshooting problems related to SELinux chapter in the RHEL 8 Using SELinux document for information about troubleshooting. |
Disabling SELinux
When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in Benefits of SELinux are lost.
It is recommended to use permissive mode instead of permanently disabling SELinux. See Changing to permissive mode for more information about permissive mode. |
-
The
grubby
package is installed:$ rpm -q grubby grubby-version
To permanently disable SELinux:
-
Configure your bootloader to add
selinux=0
to the kernel command line:$ sudo grubby --update-kernel ALL --args selinux=0
-
Restart your system:
$ reboot
-
After reboot, confirm that the
getenforce
command returnsDisabled
:$ getenforce Disabled
Changing SELinux Modes at Boot Time
On boot, you can set several kernel parameters to change the way SELinux runs:
- enforcing=0
-
Setting this parameter causes the machine to boot in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is too corrupted. Moreover, in permissive mode the system continues to create the labels correctly. The AVC messages that are created in this mode can be different than in enforcing mode. In permissive mode, only the first denial is reported. However, in enforcing mode you might get a denial on reading a directory and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition.
- selinux=0
-
This parameter causes the kernel to not load any part of the SELinux infrastructure. The init scripts notice that the system booted with the
selinux=0
parameter and touch the/.autorelabel
file. This causes the system to automatically relabel the next time you boot with SELinux enabled.Using the
selinux=0
parameter is not recommended. To debug your system, prefer using permissive mode. - autorelabel=1
-
This parameter forces the system to relabel similarly to the following commands:
~]# touch /.autorelabel ~]# reboot
If the system labeling contains a large amount of errors, you might need to boot in permissive mode in order that the autorelabel succeeds.
For additional SELinux-related kernel boot parameters, such as checkreqprot
, see the kernel-parameters.txt
file. This file is available in the source package of your Linux kernel (.src.rpm). To download the source package containing the currently used kernel:
~]# dnf download --source kernel