About SELinux
SELinux provides a flexible Mandatory Access Control System (MAC) at the Linux kernel level. This mandatory access control system is built on a free access control system (DAC.
DAC means that the system's Secure Access Control is freely managed by the system administrator root, not when the system forces Mac to run, for example, when an application or thread runs with a user UID or suid, it also has access control restrictions on some other objects, such as files and ets) or other threads run SELinux
The Mac kernel can protect the system from malicious program attacks, or the system's own bugs will not have a fatal impact on the system (the impact is limited to a certain range) SELinux for every user, program, process, and the file defines the access and transmission permissions. Manage the interaction between all these objects.
For SELinux, you can set the strict degree or completely disable the object during installation as needed.
In most cases, SELinux is completely transparent to users. ordinary users do not feel the existence of SELinux. Only the system administrator needs to consider these user environments and policies. These policies can be deployed as needed or strictly restricted by applications. SELinux provides very specific control policies covering the entire Linux system.
For example, if an object, such as an application, wants to access a file object, the control program in the kernel checks the access Vector cache (AVC) and finds the target and object permissions from here, if no permission definition is found here, you can continue to query the upper and lower associations of the security definition and file permissions, and then decide whether to allow or deny access. If AVC appears in var/log/messages:
Denied information indicates that the access is denied.
The security association between the target and the object is determined by the installation policy. These installation policies are also responsible for generating a security list for the system to provide information.
In addition to the running force mode, SELinux can run in the license mode. At this time, after AVC is checked, the rejection is recorded. SELinux does not force this policy.
The following describes SELinux-related tools.
/Usr/bin/setenforce modify the real-time running mode of SELinux
Setenforce 1 sets SELinux to enforcing Mode
Setenforce 0 sets SELinux to permissive Mode
To completely disable SELinux, set SELinux to 0 in/etc/sysconfig/SELinux.
Or add this parameter to/etc/grub. conf.
/Usr/bin/setstatus-V
View system status
The following is the running output. For more information, see
SELinux status: Enabled
Selinuxfs mount:/SELinux
Current Mode: enforcing
Policy Version: 18
Solution to disable SELinux without restarting:
Execute the command: setenforce 0
In the new versions of Red Hat and fedora, modify the file/etc/sysconfig/SELinux:
# This file controls the state of SELinux on the system.
# SELinux = can take one of these three values:
# Enforcing-SELinux security policy is enforced.
# Permissive-SELinux prints warnings instead of enforcing.
# Disabled-SELinux is fully disabled.
SELinux = enforcing
# Selinuxtype = type of policy in use. Possible values are:
# Targeted-only targeted network daemons are protected.
# Strict-full SELinux protection.
Selinuxtype = targeted
Set SELinux to disable. After the system is started, SELinux will be stopped.
Kernel Parameter)
Alternatively, you can add the SELinux = 0 (STOP) or SELinux = 1 (enable) parameter after the core parameter.
File/boot/GRUB/menu. lst
Title Fedora Core (2.6.18-1.2798.fc6)
Root (hd0, 0)
Kernel/vmlinuz-2.6.18-1.2798.fc6 Ro root = label =/rhgb quiet SELinux = 0
Initrd/initrd-2.6.18-1.2798.fc6.img
Check current SELinux status
You need to know whether you are using SELinux now:
# Getenforce
Disabled
