mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-25 13:44:51 +00:00
33 lines
1.7 KiB
Text
33 lines
1.7 KiB
Text
|
// Module included in the following assemblies:
|
|||
|
//
|
|||
|
// changing-selinux-states-and-modes.adoc
|
|||
|
|
|||
|
[#{context}-changing-selinux-modes]
|
|||
|
= Permanent changes in SELinux states and modes
|
|||
|
|
|||
|
As discussed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction[Introduction to SELinux], SELinux can be enabled or disabled. When enabled, SELinux has two modes: enforcing and permissive.
|
|||
|
|
|||
|
Use the [command]`getenforce` or [command]`sestatus` commands to check in which mode SELinux is running. The [command]`getenforce` command returns `Enforcing`, `Permissive`, or `Disabled`.
|
|||
|
|
|||
|
The [command]`sestatus` command returns the SELinux status and the SELinux policy being used:
|
|||
|
|
|||
|
[source,bash]
|
|||
|
----
|
|||
|
~]$ sestatus
|
|||
|
SELinux status: enabled
|
|||
|
SELinuxfs mount: /sys/fs/selinux
|
|||
|
SELinux root directory: /etc/selinux
|
|||
|
Loaded policy name: targeted
|
|||
|
Current mode: enforcing
|
|||
|
Mode from config file: enforcing
|
|||
|
Policy MLS status: enabled
|
|||
|
Policy deny_unknown status: allowed
|
|||
|
Memory protection checking: actual (secure)
|
|||
|
Max kernel policy version: 31
|
|||
|
----
|
|||
|
|
|||
|
[NOTE]
|
|||
|
====
|
|||
|
When systems run SELinux in permissive mode, users are able to label files incorrectly. Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode.
|
|||
|
====
|