Configuring SELinux

Test if SELinux is running

You can test to see if SELinux is currently enabled with the following command:

# selinuxenabled && echo enabled || echo disabled [root@cloudstorage01 ~]# [root@cloudstorage01 ~]# sestatus | grep -i mode Current mode: enforcing Mode from config file: permissive

Turning off SELinux temporarily

Disabling SELinux temporarily is the easiest way to determine if the problem you are experiencing is related to your SELinux settings. To turn it off, you will need to become the root users on your system and execute the following command:

# echo 0 > /selinux/enforce

This temporarily turns off SELinux until it is either re-enabled or the system is rebooted. To turn it back on you simply execute this command:

# echo 1 > /selinux/enforce

As you can see from these commands what you are doing is setting the file /selinux/enforce to either ’1′ or ’0′ to denote ‘true’ and ‘false’.

To check what mode the system is in,

# cat /selinux/enforce

Configuring SELinux to log warnings instead of block

You can also configure SELinux to give you a warning message instead of actually prohibiting the action. This known as permissive mode. To change SELinux’s behavior to permissive mode you need to edit the configuration file. On Fedora and RHEL systems that file is located at /etc/selinux/config. You need tochange the SELINUX option to permissive like so:

SELINUX=permissive

Note that these changes will not take effect until the system is rebooted, which is why the first section comes in handy on a system you either cannot or do not want to reboot right now.

Completely turning off SELinux

# vi /etc/selinux/config

Change SELINUX=enforcing

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: #     enforcing - SELinux security policy is enforced. #     permissive - SELinux prints warnings instead of enforcing. #     disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: #     targeted - Targeted processes are protected, #     mls - Multi Level Security protection. SELINUXTYPE=targeted

to SELINUX=disabled

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: #       enforcing - SELinux security policy is enforced. #       permissive - SELinux prints warnings instead of enforcing. #       disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: #       targeted - Only targeted network daemons are protected. #       strict - Full SELinux protection. SELINUXTYPE=targeted

This will disable SELinux on your next reboot.

To verify if SELinux is disabled, run “

# dmesg | grep selinux

You should see

selinux=0

# dmesg | grep selinux type=1404 audit(1343044277.956:2): selinux=0 auid=4294967295 ses=4294967295