Enable SeLinux in Linux, and enable selinux in linux

Source: Internet
Author: User

Enable SeLinux in Linux, and enable selinux in linux

SELinux (Security-Enhanced Linux) in Fedora is an implementation of mandatory access control in the Linux kernel using the Linux Security Modules (LSM) framework. Standard Linux security is a discretionary access control model.

Discretionary access control (DAC)

DAC is standard Linux security, and it provides minimal protection from broken software or malware running as a normal user or root. Users can grant risky levels of access to files they own.

Mandatory access control (MAC)

MAC provides full control over all interactions of software. Administratively defined policy closely controls user and process interactions with the system, and can provide protection from broken software or malware running as any user.

Currently, SELinux supports the following three modes:

Enforcing: the forced mode indicates that SELinux is in operation and the domain/type has been properly restricted;

Permissive: the tolerant mode indicates that SELinux is in operation, but only warning messages will not actually restrict access to domain/type. This mode works.

Used as the debug of SELinux;

Disabled: disabled. SELinux does not actually work.

In Linux, check whether SeLinux is enabled. You can use either of the following methods:

1: run the following command sestatus. If SELinux status is enabled, SeLinux is enabled.

[root@DB-Server ~]# /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
[root@DB-Server ~]# 
 
 
 
[root@DB-Server ~]# /usr/sbin/sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
 
Process contexts:
Current context:                root:system_r:unconfined_t:SystemLow-SystemHigh
Init context:                   system_u:system_r:init_t
/sbin/mingetty                  system_u:system_r:getty_t
/usr/sbin/sshd                  system_u:system_r:unconfined_t:SystemLow-SystemHigh
 
File contexts:
Controlling term:               root:object_r:devpts_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/bash                       system_u:object_r:shell_exec_t
/bin/login                      system_u:object_r:login_exec_t
/bin/sh                         system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/mingetty                  system_u:object_r:getty_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:object_r:ld_so_t
You have new mail in /var/spool/mail/root
[root@DB-Server ~]# 

2: run the getenforce command.

[root@DB-Server ~]# getenforce
 
Enforcing

 

How to enable and disable SeLinux? The simplest way is to use setenforce, so you do not need to restart the server. however, this command can only switch SeLinux between enforcing and permissive modes. after the server is restarted, it will be restored to/etc/selinux/config. That is to say, the modification of setenforce cannot be persistent.

[root@DB-Server ~]# setenforce 0
 
[root@DB-Server ~]# getenforce
 
Permissive
 
[root@DB-Server ~]# setenforce 1
 
[root@DB-Server ~]# getenforce;
 
Enforcing
 
[root@DB-Server ~]# 

In addition, modify/etc/selinux/config, as shown below. You can configure SELINUX to enforcing, permissive, and disabled values. After modification, you must restart the system to take effect.

[root@DB-Server ~]# more /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted
You have new mail in /var/spool/mail/root
[root@DB-Server ~]# 

If you change from enforcing or permissive to disabled or from disabled to the other two, you must restart the instance. This is because SELinux is integrated into the core. You can only switch to enforcing or permissive mode during SELinux operations, and cannot directly disable SELinux! At the same time, the status from SELinux to disable also needs to be restarted!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.