There are three types of SELinux modes; they are as follows:
Enforcing: In this mode, SELinux enforces its policies onto the system and makes sure that all access by unauthorized users or processes are denied. These access denial events are also logged in to the system as well, which we will look into later on in this chapter.
Permissive: This is like a semi-enabled mode state where SELinux doesn’t deny any access as the policies are in permissive mode. This is the best mode to test the SELinux policies.
Disabled: In this mode, the SELinux is in a completely disabled state and no logs are created or permissions are denied.
We can run the following commands to get the present SELinux status: getenforce sestatus
The main SELinux configuration file is /etc/selinux/config. We will now enable SELinux by setting up SELINUX=permissive in this file, and then saving and rebooting the system.
The SELINUXTYPE parameter in the config file also has three options, as follows:
Targeted: This is the default value that allows you to customize and fine-tune your policies Minimum: In this mode, only the selected processes are protected
MLS: Multi Level Security is an advanced mode of protection and you need an additional package to install it as well
We will keep the SELINUXTYPE at the default value (that is, targeted). This is necessary to set the SELinux into the permissive mode the first time it runs, as it’s required to label all files on the system.
Otherwise, processes running under confined domains might fail as they can’t access the files with correct contexts. Once we are set and we reboot the system, it will label all the files, which will take some time depending on the system with SELinux contexts. Since it’s in the permissive mode, only failures and access denials will be reported.
We must check the system once it is up for any errors using the following command: grep ‘SELinux’ /var/log/messages
This will show you outputs such as the following if the SELinux is running in permissive mode:
May 25 01:54:46 localhost kernel: SELinux: Disabled at runtime.
May 25 03:06:40 localhost kernel: SELinux: Initializing.
May 25 03:06:58 localhost systemd: Successfully loaded SELinux policy in 2.863609s.
May 27 06:31:39 localhost kernel: SELinux: Initializing.
May 27 06:31:55 localhost systemd: Successfully loaded SELinux policy in 1.944267s.
Now, since all the rules are loaded and the files are labeled, we have to enable the SELinux enforcing mode instead of the permissive mode. So, edit the SELinux config file once again and set the following to enforcing: SELINUX=enforcing
Now, reboot the server once again. Once it is back, check the SELinux status with the sestatus command .
Now, if you grep SELinux in /var/log/messages you will find the following:
May 27 11:18:21 localhost kernel: SELinux: Initializing.
May 27 11:18:34 localhost systemd: Successfully loaded SELinux policy in 715.664ms.
To check the SELinux enforcing status, run the getenforce command, and it will display the status as enforcing. The sestatus command will display more details about the operating SELinux configuration .
If we want to change the SELinux mode temporarily while running SELinux, we can do that using the setenforce command as follows: setenforce permissive
Switch back to the enforcing mode using the following command: setenforce enforcing