mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 14:56:35 +00:00
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc
Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not.
This commit is contained in:
parent
4d2826a496
commit
c088913464
1 changed files with 35 additions and 19 deletions
|
@ -5,22 +5,24 @@
|
|||
[#{context}-changing-to-enforcing-mode]
|
||||
= Changing to enforcing mode
|
||||
|
||||
When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.
|
||||
Use the following procedure to switch SELinux to enforcing mode. When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In RHEL, enforcing mode is enabled by default when the system was initially installed with SELinux.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* The `selinux-policy-targeted`, `libselinux-utils`, and `policycoreutils` packages are installed on your system.
|
||||
|
||||
* The `selinux=0` or `enforcing=0` kernel parameters are not used.
|
||||
|
||||
.Procedure
|
||||
|
||||
. Check the current SELinux mode by using the [command]`getenforce` command:
|
||||
+
|
||||
[subs="quotes"]
|
||||
----
|
||||
$ *getenforce*
|
||||
Permissive
|
||||
----
|
||||
+
|
||||
If the command displays `Disabled`, then follow xref:{context}-enabling-selinux[]. If it displays `Permissive`, use the following steps to change mode to enforcing again:
|
||||
. Open the `/etc/selinux/config` file in a text editor of your choice, for example:
|
||||
|
||||
----
|
||||
# vi /etc/selinux/config
|
||||
----
|
||||
|
||||
. Configure the `SELINUX=enforcing` option:
|
||||
|
||||
. Edit the `/etc/selinux/config` file as follows:
|
||||
+
|
||||
[subs="quotes"]
|
||||
----
|
||||
# This file controls the state of SELinux on the system.
|
||||
|
@ -35,26 +37,40 @@ SELINUX=*enforcing*
|
|||
SELINUXTYPE=targeted
|
||||
----
|
||||
|
||||
. Restart the system:
|
||||
. Save the change, and restart the system:
|
||||
+
|
||||
[subs="quotes"]
|
||||
----
|
||||
$ *reboot*
|
||||
# reboot
|
||||
----
|
||||
+
|
||||
On the next boot, SELinux relabels all files and directories in the system and adds the SELinux context for files and directories that were created when SELinux was disabled.
|
||||
On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled.
|
||||
|
||||
.Verification
|
||||
|
||||
. After the system restarts, confirm that the `getenforce` command returns `Enforcing`:
|
||||
|
||||
----
|
||||
$ getenforce
|
||||
Enforcing
|
||||
----
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies:
|
||||
After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies, enter the following command as root:
|
||||
[subs="quotes"]
|
||||
----
|
||||
$ *sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent*
|
||||
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today
|
||||
----
|
||||
Alternatively, with the [package]`setroubleshoot-server` package installed:
|
||||
Alternatively, with the [package]`setroubleshoot-server` package installed, enter:
|
||||
[subs="quotes"]
|
||||
----
|
||||
$ *sudo sealert -a /var/log/audit/audit.log*
|
||||
# grep "SELinux is preventing" /var/log/messages
|
||||
----
|
||||
If SELinux is active and the Audit daemon (auditd) is not running on your system, then search for certain SELinux messages in the output of the dmesg command:
|
||||
----
|
||||
# dmesg | grep -i -e type=1300 -e type=1400
|
||||
----
|
||||
|
||||
If SELinux denies some actions, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux[Troubleshooting problems related to SELinux] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for information about troubleshooting.
|
||||
====
|
||||
|
|
Loading…
Reference in a new issue