From db3dc1ca8bc0c19abaaa50d4f1bd4e77b4e1cfb6 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Fri, 30 Oct 2020 14:47:18 +0100 Subject: [PATCH] Clarify enabling/disabling procedures for SELinux * Simplify list of required packages (and add `grubby`). * Move Disabled -> Enforcing steps from `changing-to-enforcing-mode` to `enabling-selinux`. * In `changing-to-enforcing-mode`, use the correct procedure based on whether SELinux is currently Permissive or Disabled. * Add step for ensuring that filesystem is relabeled when re-enabling SELinux. Signed-off-by: Ondrej Mosnacek --- .../_partials/proc_changing-to-enforcing-mode.adoc | 8 +------- .../ROOT/pages/_partials/proc_enabling-selinux.adoc | 12 ++++++++++++ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc b/modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc index 659b4da..59a564a 100644 --- a/modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc +++ b/modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc @@ -7,13 +7,7 @@ When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux. -If SELinux was disabled, follow the procedure below to change mode to enforcing again: - -This procedure assumes that the [package]*selinux-policy-targeted*, [package]*selinux-policy*, [package]*libselinux*, [package]*libselinux-python*, [package]*libselinux-utils*, [package]*policycoreutils*, and [package]*policycoreutils-python* packages are installed. To verify that the packages are installed, use the following command: -[subs="quotes"] ----- -~]$ rpm -q _package_name_ ----- +First check the current SELinux mode by running the [command]`getenforce` command. If it displays `Disabled`, then follow <<{context}-enabling-selinux>>. Otherwise, if it displays `Permissive`, follow the procedure below to change mode to enforcing again: . Edit the `/etc/selinux/config` file as follows: + diff --git a/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc b/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc index b6c267e..1abea3d 100644 --- a/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc +++ b/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc @@ -9,6 +9,12 @@ When enabled, SELinux can run in one of two modes: enforcing or permissive. The While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure: +This procedure assumes that the [package]*selinux-policy-targeted*, [package]*selinux-policy*, [package]*libselinux-utils*, and [package]*grubby* packages are installed. To verify that the packages are installed, use the following command: +[subs="quotes"] +---- +~]$ rpm -q _package_name_ +---- + . In case your system has SELinux disabled at the kernel level (this is the recommended way, see <<{context}-disabling-selinux>>), make sure to undo that first. .. Check if you have `selinux=0` in your kernel command line: @@ -27,6 +33,12 @@ _[...]_ rd.lvm.lv=fedora/swap rhgb quiet *selinux=0* .. The change will be applied after you reboot the system (see below). +. Ensure the filesystem is relabeled on next boot: ++ +---- +~]# fixfiles onboot +---- + . Enable SELinux in permissive mode. For more information, see <<{context}-changing-to-permissive-mode>>. . Reboot your system.