quick-docs/modules/ROOT/partialsdelete/2delete-proc_enabling-selinux.adoc

// Module included in the following assemblies:
//
// changing-selinux-states-and-modes.adoc

[#{context}-enabling-selinux]
= Enabling SELinux

When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.

While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure.

.Prerequisites

* The [package]`selinux-policy-targeted`, [package]`selinux-policy`, [package]`libselinux-utils`, and [package]`grubby` packages are installed. To check that a particular package is installed:
+
[subs="quotes"]
----
$ *rpm -q _package_name_*
----

.Procedure

. If your system has SELinux disabled at the kernel level (this is the recommended way, see xref:{context}-disabling-selinux[]), change this first. Check if you have the `selinux=0` option in your kernel command line:
+
[subs="quotes"]
----
$ *cat /proc/cmdline*
BOOT_IMAGE=... ... selinux=0
----

.. Remove the `selinux=0` option from the bootloader configuration using [command]`grubby`:
+
[subs="quotes"]
----
$ *sudo grubby --update-kernel ALL --remove-args selinux*
----

.. The change applies after you restart the system in one of the following steps.

. Ensure the file system is relabeled on the next boot:
+
[subs="quotes"]
----
$ *sudo fixfiles onboot*
----

. Enable SELinux in permissive mode. For more information, see xref:{context}-changing-to-permissive-mode[].

. Restart your system:
+
[subs="quotes"]
----
$ *reboot*
----

. Check for SELinux denial messages.
+
[subs="quotes"]
----
$ *sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent*
----

. If there are no denials, switch to enforcing mode. For more information, see xref:{context}-changing-to-enforcing-mode[].

To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:

* Run your application in the `unconfined_service_t` domain.
// See <<Targeted_Policy-Unconfined_Processes>> for more information.

* Write a new policy for your application. See the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux[Writing a custom SELinux policy] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for more information.

// Temporary changes in modes are covered in <<{context}-selinux-states-and-modes>>.
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`// Module included in the following assemblies:`
			`//`
			`// changing-selinux-states-and-modes.adoc`

			`[#{context}-enabling-selinux]`
			`= Enabling SELinux`

			`When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.`

Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure.`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`.Prerequisites`

			* The [package]`selinux-policy-targeted`, [package]`selinux-policy`, [package]`libselinux-utils`, and [package]`grubby` packages are installed. To check that a particular package is installed:
			`+`
Clarify enabling/disabling procedures for SELinux * Simplify list of required packages (and add `grubby`). * Move Disabled -> Enforcing steps from `changing-to-enforcing-mode` to `enabling-selinux`. * In `changing-to-enforcing-mode`, use the correct procedure based on whether SELinux is currently Permissive or Disabled. * Add step for ensuring that filesystem is relabeled when re-enabling SELinux. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-30 13:47:18 +00:00			`[subs="quotes"]`
			`----`
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`$ rpm -q _package_name_`
Clarify enabling/disabling procedures for SELinux * Simplify list of required packages (and add `grubby`). * Move Disabled -> Enforcing steps from `changing-to-enforcing-mode` to `enabling-selinux`. * In `changing-to-enforcing-mode`, use the correct procedure based on whether SELinux is currently Permissive or Disabled. * Add step for ensuring that filesystem is relabeled when re-enabling SELinux. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-30 13:47:18 +00:00			`----`

Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`.Procedure`
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			. If your system has SELinux disabled at the kernel level (this is the recommended way, see xref:{context}-disabling-selinux[]), change this first. Check if you have the `selinux=0` option in your kernel command line:
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00			`+`
			`[subs="quotes"]`
			`----`
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`$ cat /proc/cmdline`
			`BOOT_IMAGE=... ... selinux=0`
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00			`----`

Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			.. Remove the `selinux=0` option from the bootloader configuration using [command]`grubby`:
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00			`+`
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`[subs="quotes"]`
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00			`----`
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`$ sudo grubby --update-kernel ALL --remove-args selinux`
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00			`----`

Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`.. The change applies after you restart the system in one of the following steps.`
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`. Ensure the file system is relabeled on the next boot:`
Clarify enabling/disabling procedures for SELinux * Simplify list of required packages (and add `grubby`). * Move Disabled -> Enforcing steps from `changing-to-enforcing-mode` to `enabling-selinux`. * In `changing-to-enforcing-mode`, use the correct procedure based on whether SELinux is currently Permissive or Disabled. * Add step for ensuring that filesystem is relabeled when re-enabling SELinux. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-30 13:47:18 +00:00			`+`
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`[subs="quotes"]`
Clarify enabling/disabling procedures for SELinux * Simplify list of required packages (and add `grubby`). * Move Disabled -> Enforcing steps from `changing-to-enforcing-mode` to `enabling-selinux`. * In `changing-to-enforcing-mode`, use the correct procedure based on whether SELinux is currently Permissive or Disabled. * Add step for ensuring that filesystem is relabeled when re-enabling SELinux. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-30 13:47:18 +00:00			`----`
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`$ sudo fixfiles onboot`
Clarify enabling/disabling procedures for SELinux * Simplify list of required packages (and add `grubby`). * Move Disabled -> Enforcing steps from `changing-to-enforcing-mode` to `enabling-selinux`. * In `changing-to-enforcing-mode`, use the correct procedure based on whether SELinux is currently Permissive or Disabled. * Add step for ensuring that filesystem is relabeled when re-enabling SELinux. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-30 13:47:18 +00:00			`----`

Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`. Enable SELinux in permissive mode. For more information, see xref:{context}-changing-to-permissive-mode[].`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`. Restart your system:`
			`+`
			`[subs="quotes"]`
			`----`
			`$ reboot`
			`----`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
			`. Check for SELinux denial messages.`
Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`+`
			`[subs="quotes"]`
			`----`
			`$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent`
			`----`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
Update modules/ROOT/pages/_partials/proc_enabling-selinux.adoc The link "Changing to enforcing mode" should lead to an anchor on the same page, not to a non-existing sub-page. 2022-11-20 14:16:44 +00:00			`. If there are no denials, switch to enforcing mode. For more information, see xref:{context}-changing-to-enforcing-mode[].`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
			`To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:`

			* Run your application in the `unconfined_service_t` domain.
			`// See <<Targeted_Policy-Unconfined_Processes>> for more information.`

Fix proc_enabling-selinux 2020-11-09 16:14:25 +00:00			`* Write a new policy for your application. See the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux[Writing a custom SELinux policy] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for more information.`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
			`// Temporary changes in modes are covered in <<{context}-selinux-states-and-modes>>.`