diff --git a/modules/ROOT/pages/_partials/proc_disabling-selinux.adoc b/modules/ROOT/pages/_partials/proc_disabling-selinux.adoc index 1154f0d..1674e5a 100644 --- a/modules/ROOT/pages/_partials/proc_disabling-selinux.adoc +++ b/modules/ROOT/pages/_partials/proc_disabling-selinux.adoc @@ -2,7 +2,7 @@ // // changing-selinux-states-and-modes.adoc -[#{context}-Enabling_and_Disabling_SELinux-Disabling_SELinux] +[#{context}-disabling-selinux] = Disabling SELinux When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux[Benefits of SELinux] are lost. @@ -14,21 +14,17 @@ It is recommended to use permissive mode instead of permanently disabling SELinu To permanently disable SELinux, follow the procedure below: -. Configure [option]`SELINUX=disabled` in the `/etc/selinux/config` file: +This procedure assumes that the [package]*grubby* package is installed. To verify that it is installed, use the following command: +[subs="quotes"] +---- +~]$ rpm -q grubby +---- + +. Configure your bootloader to add `selinux=0` to the kernel command-line: + [subs="quotes"] ---- - -# This file controls the state of SELinux on the system. -# SELINUX= can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -SELINUX=*disabled* -# SELINUXTYPE= can take one of these two values: -# targeted - Targeted processes are protected, -# mls - Multi Level Security protection. -SELINUXTYPE=targeted +~]# grubby --update-kernel ALL --args selinux=0 ---- . Reboot your system. After reboot, confirm that the [command]`getenforce` command returns `Disabled`: diff --git a/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc b/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc index 465cf22..b6c267e 100644 --- a/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc +++ b/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc @@ -9,6 +9,24 @@ When enabled, SELinux can run in one of two modes: enforcing or permissive. The While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure: +. In case your system has SELinux disabled at the kernel level (this is the recommended way, see <<{context}-disabling-selinux>>), make sure to undo that first. + +.. Check if you have `selinux=0` in your kernel command line: ++ +[subs="quotes"] +---- +~]$ cat /proc/cmdline +_[...]_ rd.lvm.lv=fedora/swap rhgb quiet *selinux=0* +---- + +.. If it is there, remove it from the bootloader configuration using [command]`grubby`: ++ +---- +~]# grubby --update-kernel ALL --remove-args selinux +---- + +.. The change will be applied after you reboot the system (see below). + . Enable SELinux in permissive mode. For more information, see <<{context}-changing-to-permissive-mode>>. . Reboot your system.