From 8b0b9e4c6e38fa4802c5cea2c0441ca6015a6620 Mon Sep 17 00:00:00 2001 From: Mat McCabe Date: Fri, 11 Feb 2022 01:29:15 +0000 Subject: [PATCH] Update modules/ROOT/pages/_partials/con_permanent-changes-in-selinux-states-and-modes.adoc Updates changes to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#changing-selinux-modes-at-boot-time_changing-selinux-states-and-modes Added :toc: --- .../con_permanent-changes-in-selinux-states-and-modes.adoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/_partials/con_permanent-changes-in-selinux-states-and-modes.adoc b/modules/ROOT/pages/_partials/con_permanent-changes-in-selinux-states-and-modes.adoc index c9e0e79..236ad62 100644 --- a/modules/ROOT/pages/_partials/con_permanent-changes-in-selinux-states-and-modes.adoc +++ b/modules/ROOT/pages/_partials/con_permanent-changes-in-selinux-states-and-modes.adoc @@ -4,7 +4,7 @@ [#{context}-changing-selinux-modes] = Permanent changes in SELinux states and modes - +:toc: As discussed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction[Introduction to SELinux], SELinux can be enabled or disabled. When enabled, SELinux has two modes: enforcing and permissive. Use the [command]`getenforce` or [command]`sestatus` commands to check in which mode SELinux is running. The [command]`getenforce` command returns `Enforcing`, `Permissive`, or `Disabled`. @@ -28,5 +28,7 @@ Max kernel policy version: 31 [NOTE] ==== -When systems run SELinux in permissive mode, users are able to label files incorrectly. Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. +When systems run SELinux in permissive mode, users and processes can label various file-system objects incorrectly. File-system objects created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because SELinux relies on correct labels of file-system objects. + +To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. In permissive mode, use the [command]`fixfiles -F onboot` command as root to create `/.autorelabel` file containing the `-F` option to ensure that files are relabeled upon next reboot. ====