Linux SELinux conversion instructions between several modes

When you execute certain programs in a Linux environment, you occasionally encounter a situation in which the SELinux enforcement mode is not enforceable, in which case you need to close selinux or change the enforcing to permissive mode before executing.

SELinux is a mandatory access control (MAC) system available in the Linux kernel
The following is a description of several selinux modes and their transformations:

SELinux startup, shutdown, and view

1. Not all Linux distributions support SELinux
Currently, SELinux supports three modes, as follows:

Enforcing: Mandatory mode, on behalf of the SELinux operation, and has correctly begun to limit the domain/type;
Permissive: Tolerant mode: On behalf of SELinux operation, but only a warning message will not actually limit the access of domain/type. This model can be shipped as the use of SELinux debug;
disabled: Off, SELinux does not actually work.

2. View the SELinux mode
# Getenforce Enforcing <== shows that the current mode is enforcing

3. View the SELinux policy?
[Email protected] oracle]# Sestatus
SELinux status:enabled <== whether to start SELinux
SELINUXFS Mount:/selinux <==selinux related file data mount point
Current mode:enforcing <== mode
Mode from config file:enforcing <== profiles specified
Policy version:21
Policy from config file:targeted <== What are the current policies?

4. Adjust selinux parameters via config file
[Email protected] ~]# Vi/etc/selinux/config
selinux=enforcing <== Adjustment enforcing|disabled|permissive
Selinuxtype=targeted <== currently only has targeted and strict

5,selinux start-Up and shutdown
"Important common sense" above is a pre-set policy with the starting mode! It is important to note that if you change the policy you need to restart the boot, or if it is changed from enforcing or permissive to disabled, or changed from disabled to two, it must be rebooted. This is because SELinux is integrated into the core, you can only be in the SELinux operation to switch to force (enforcing) or tolerant (permissive) mode, can not directly shut down SELinux!
At the same time, the state of the SELinux shutdown (disable) to the open state also needs to be rebooted! So, if you have just found Getenforce appear disabled, please go to the above file changes to become enforcing bar!

To view the SELinux status:
1)/usr/sbin/sestatus-v # #如果SELinux The status parameter is enabled is turned on
SELinux status:enabled
2) Getenforce # #也可以用这个命令检查
To turn off SELinux:
1, temporarily shut down (do not restart the machine):
Setenforce 0 # #设置SELinux become permissive mode
# #setenforce 1 set SELinux to become enforcing mode
3) Modify the configuration file to restart the machine:
Modify the/etc/selinux/config file
Change Selinux=enforcing to Selinux=disabled
Restart the machine

"Focus" If you want to start selinux you must meet the following two points:
So, if you want to start SELinux, please set the above selinux=enforcing, and specify selinuxtype=targeted this setting, and go to/boot/grub/menu.lst this file, See if the core is off SELinux?

[Email protected] ~]# Vi/boot/grub/menu.lst
Default=0
Timeout=5
Splashimage= (hd0,0)/grub/splash.xpm.gz
Hiddenmenu
Title CentOS (2.6.18-92.EL5)
Root (hd0,0)
Kernel/vmlinuz-2.6.18-92.el5 ro root=label=/1 rhgb quiet selinux=0
Initrd/initrd-2.6.18-92.el5.img

# If you want to start SELinux, you can not appear selinux=0 the words behind kernel!
"Problem" Through the above study we know that if the startup of SELinux to disable, need to restart the computer, we do not want to restart the computer and do not want to open selinux what to do?
Answer will change the forced mode to loose mode!
[Email protected] ~]# Setenforce [0|1]
Options and Parameters:
0: Turn into permissive tolerant mode;
1: Turn into enforcing force mode

Example one: Switch SELinux between enforcing and permissive and view
[Email protected] ~]# Setenforce 0
[Email protected] ~]# Getenforce Permissive
[Email protected] ~]# Setenforce 1
[Email protected] ~]# Getenforce enforcing

6. View the startup program's type settings
[[Email protected] oracle]# PS aux-z
LABEL USER PID%cpu%MEM VSZ RSS TTY STAT START time COMMAND
system_u:system_r:init_t Root 1 0.0 0.4 2060 520? Ss May07 0:02 init [5 system_u:system_r:kernel_t root 2 0.0 0.0 0 0? s< May07 0:00 [Migra] system_u:system_r:kernel_t root 11 0.0 0.0 0 0? s< May07 0:00 [kacpi] system_u:system_r:auditd_t root 4022 0.0 0.4 12128 560? S<SL May07 0:01 auditd system_u:system_r:auditd_t root 4024 0.0 0.4 13072 628? S<sl May07 0:00/sbin/a system_u:system_r:restorecond_t root 4040 0.0 4.4 10284 5556? Ss May07 0:00/USR/SB

Description: In fact, these things we do not care, are selinux built-in. Just learn to convert between forced and loose modes!

Summary:
to close the SELinux method:
Modify Selinux= "" in the/etc/selinux/config file to Disabled, and then restart.
If you do not want to restart the system, use the command Setenforce 0
Note:
Setenforce 1 set SELinux to be enforcing mode
Setenforce 0 set SELinux as permissive mode
added in Lilo or grub startup parameters: Selinux=0, or you can close SELinux
#----------------------------------------------------------- ----
View the SELinux status:
/usr/bin/setstatus-v
as follows:
SELinux status:enabled
Selinuxfs mount:/selinux
Current mode:permissive
Mode from config file:enforcing
Policy version:21
Policy from config FILE:TARGETED

Getenforce/setenforce View and set the current working mode of SELinux
#------------------------------------------------------------ -----------
Discovery Service Start, stop immediately, find information on the Internet, find the installation to disable SELinux before installing MySQL, the steps are:
1. Turn off SELinux, restart the system,
2. Install MySQL (mysql The server should be ready to start);
3. Enable SELinux, restart the system, and then MySQL server will start normally. The
Enable disable SELinux method is:
Vi/etc/selinux/config (Others say is the/etc/sysconfig/selinux file, in fact, two is a link between the relationship, casually change one, the other changed)
selinux=disable disabling SELinux
selinux=enforcing enable SELinux

How the CentOS system quickly shuts down SELinux

SELinux is an enforced access control (MAC) security system based on the domain-type model (DOMAIN-TYPE), which is written by the NSA and designed into kernel modules, and some of the corresponding security-related applications have been patched by SELinux, and finally there is a corresponding security policy. Although the CentOS system is relatively safe and stable compared to the other. My experience in long-term Linux practice is that SELinux is the natural enemy of PHP.

We often cause some inexplicable problems due to the security configuration of the CentOS system default system, such as SELinux is originally used for security subsystem permissions control, but can not find a lot of restrictions, we may use the following methods to quickly close selinux.
/usr/sbin/setenforce 0 Close SELinux immediately
/usr/sbin/setenforce 1 Enable SELINUX now

Add to system default boot inside
echo "/usr/sbin/setenforce 0" >>/etc/rc.local

This allows us to quickly shut down when we don't need to open selinux in the CentOS system, and to turn it on when needed.

Linux SELinux conversion instructions between several modes