quick-docs/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc

73 lines
2.5 KiB
Text
Raw Normal View History

2018-06-22 16:10:52 +00:00
// Module included in the following assemblies:
//
// changing-selinux-states-and-modes.adoc
[#{context}-enabling-selinux]
= Enabling SELinux
When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.
2020-11-09 16:14:25 +00:00
While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure.
2018-06-22 16:10:52 +00:00
2020-11-09 16:14:25 +00:00
.Prerequisites
* The [package]`selinux-policy-targeted`, [package]`selinux-policy`, [package]`libselinux-utils`, and [package]`grubby` packages are installed. To check that a particular package is installed:
+
[subs="quotes"]
----
2020-11-09 16:14:25 +00:00
$ *rpm -q _package_name_*
----
2020-11-09 16:14:25 +00:00
.Procedure
2020-11-09 16:14:25 +00:00
. If your system has SELinux disabled at the kernel level (this is the recommended way, see xref:{context}-disabling-selinux[]), change this first. Check if you have the `selinux=0` option in your kernel command line:
+
[subs="quotes"]
----
2020-11-09 16:14:25 +00:00
$ *cat /proc/cmdline*
BOOT_IMAGE=... ... selinux=0
----
2020-11-09 16:14:25 +00:00
.. Remove the `selinux=0` option from the bootloader configuration using [command]`grubby`:
+
2020-11-09 16:14:25 +00:00
[subs="quotes"]
----
2020-11-09 16:14:25 +00:00
$ *sudo grubby --update-kernel ALL --remove-args selinux*
----
2020-11-09 16:14:25 +00:00
.. The change applies after you restart the system in one of the following steps.
2020-11-09 16:14:25 +00:00
. Ensure the file system is relabeled on the next boot:
+
2020-11-09 16:14:25 +00:00
[subs="quotes"]
----
2020-11-09 16:14:25 +00:00
$ *sudo fixfiles onboot*
----
2020-11-09 16:14:25 +00:00
. Enable SELinux in permissive mode. For more information, see xref:{context}-changing-to-permissive-mode[].
2018-06-22 16:10:52 +00:00
2020-11-09 16:14:25 +00:00
. Restart your system:
+
[subs="quotes"]
----
$ *reboot*
----
2018-06-22 16:10:52 +00:00
. Check for SELinux denial messages.
2020-11-09 16:14:25 +00:00
+
[subs="quotes"]
----
$ *sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent*
----
2018-06-22 16:10:52 +00:00
. If there are no denials, switch to enforcing mode. For more information, see xref:{context}-changing-to-enforcing-mode[].
2018-06-22 16:10:52 +00:00
To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:
* Run your application in the `unconfined_service_t` domain.
// See <<Targeted_Policy-Unconfined_Processes>> for more information.
2020-11-09 16:14:25 +00:00
* Write a new policy for your application. See the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux[Writing a custom SELinux policy] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for more information.
2018-06-22 16:10:52 +00:00
// Temporary changes in modes are covered in <<{context}-selinux-states-and-modes>>.