/etc/sysconfig/selinux configuration file
Under Red Hat Enterprise Linux, two methods can be used to configure SELinux: Use the security level Configuration Tool (system-config-securitylevel) or manually edit the configuration file (/etc/s Ysconfig/selinux).
/etc/sysconfig/selinux is the primary configuration file for starting or aborting SELinux, or it can be used to set which policies need to be enforced on the system, and how to enforce them . Notes
/etc/sysconfig/selinux contains a symbolic link to the actual configuration file (/etc/selinux/config).
The following is an explanation of a set of child options for configuration use:
Selinux=enforcing|permissive|disabled-defines the state of the SELINUX highest level (top-level) on a system.
Enforcing-selinux security policy is enforced.
The Permissive-selinux system outputs warning messages, but does not enforce security policies.
This can be used for troubleshooting. In permissive mode, the system records more rejection information. This is because some of the subjective items that can continue in the permissive mode are rejected in the coercion mode. For example, when a directory tree is accessed in permissive mode, avc:denied information is generated when accessing each level of the directory. In the forced mode, SELinux has long been aborted in the first phase, so that it avoids the production of other rejections.
Disabled-selinux was completely suspended. The SELinux hangs the program to detach from the kernel, then the pseudo file system is out of registration. Little Trick
Actions that are run during a SELinux abort may cause the file system to no longer have the correct security context, that is, the security contexts defined by the policy. The best way to mark the file system again is to create the identity file/.autorelabel and reboot the machine. This causes the redefined work to take place early in the boot process, before any other process runs. Use this method to prevent a file from being created in the wrong security context, or to start in the wrong context.
It is possible to use the Fixfiles relabel command before enabling SELinux to re identify this file system. However, this method is not a good method, because some processes may still potentially run in the wrong security context after this process is completed, and these processes may also be in error Creates a file in the security context of the Notes
Adding unnecessary spaces at the end of each configuration line, or adding additional rows at the end of a file, can cause unpredictable behavior to occur. For insurance, remove unnecessary spaces.
selinuxtype=targeted|strict-Specifies which policy SELinux should be enforced.
targeted-only the selected network daemon will be protected. Important Information
Under the default selected policy, the following daemons are protected: DHCPD, httpd (Apache.te), named, NSCD, NTPD, Portmap, snmpd, squid, and syslogd. Other daemons of the system run in the unconfined_t domain. This domain allows the subjective and objective items in its security context to operate using standard Linux security systems.
The policy files for these daemons are located in the/etc/selinux/targeted/src/policy/domains/program file. These files may change when the updated Red Hat Enterprise Linux version is released.
The enforcement of security policies for these daemons can be turned on or off by using a Boolean value controlled by the security level Configuration Tool (System-config-securitylevel).
Setting a selected daemon Boolean value of 0 (0) will abort the security policy changes to this daemon process. For example, you can set Dhcpd_disable_trans to 0来 to prevent Init from converting DHCPD from unconfined_t domain to the domain specified in dhcpd.te.
Use the GETSEBOOL-A command to list all SELinux Boolean values. The following is an instance of using the Setsebool command to set the SELinux boolean value. The-P option makes this change a permanent effect. If this option is not available, the Boolean value is reset to 1 on reboot.
Setsebool-p dhcpd_disable_trans=0
strict-full SELinux protection for all daemons. The security context is set for all subjective and objective items in the system, and each action is enforced by the security Policy Force server.
setlocaldefs=0|1-controls how local definitions (user and Boolean values) are set. If this value is set to 1, these definitions are controlled by the Load_policy from the/etc/selinux/<policyname> file. If this value is set to 0, it is controlled by Semanage.