hank-test/quick-docs
1
0
Fork 0
mirror of https://pagure.io/fedora-docs/quick-docs.git synced 2024-11-28 23:06:36 +00:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions
quick-docs/modules/ROOT/pages/_partials/proc_enabling-selinux.adoc
Ondrej Mosnacek db3dc1ca8b Clarify enabling/disabling procedures for SELinux 
* Simplify list of required packages (and add `grubby`).
* Move Disabled -> Enforcing steps from `changing-to-enforcing-mode` to
  `enabling-selinux`.
* In `changing-to-enforcing-mode`, use the correct procedure based on
  whether SELinux is currently Permissive or Disabled.
* Add step for ensuring that filesystem is relabeled when re-enabling
  SELinux.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-10 09:46:54 +00:00

58 lines
2.2 KiB
Text
Raw Blame History

// Module included in the following assemblies:
//
// changing-selinux-states-and-modes.adoc
[#{context}-enabling-selinux]
= Enabling SELinux
When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.
While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure:
This procedure assumes that the [package]*selinux-policy-targeted*, [package]*selinux-policy*, [package]*libselinux-utils*, and [package]*grubby* packages are installed. To verify that the packages are installed, use the following command:
[subs="quotes"]
----
~]$ rpm -q _package_name_
----
. In case your system has SELinux disabled at the kernel level (this is the recommended way, see <<{context}-disabling-selinux>>), make sure to undo that first.
.. Check if you have `selinux=0` in your kernel command line:
+
[subs="quotes"]
----
~]$ cat /proc/cmdline
_[...]_ rd.lvm.lv=fedora/swap rhgb quiet *selinux=0*
----
.. If it is there, remove it from the bootloader configuration using [command]`grubby`:
+
----
~]# grubby --update-kernel ALL --remove-args selinux
----
.. The change will be applied after you reboot the system (see below).
. Ensure the filesystem is relabeled on next boot:
+
----
~]# fixfiles onboot
----
. Enable SELinux in permissive mode. For more information, see <<{context}-changing-to-permissive-mode>>.
. Reboot your system.
. Check for SELinux denial messages.
// For more information, see <<Fixing_Problems-Searching_For_and_Viewing_Denials>>.
. If there are no denials, switch to enforcing mode. For more information, see <<{context}-changing-to-enforcing-mode>>.
To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:
* Run your application in the `unconfined_service_t` domain.
// See <<Targeted_Policy-Unconfined_Processes>> for more information.
* Write a new policy for your application. See the link:++https://access.redhat.com/solutions/117583++[Writing Custom SELinux Policy] Knowledgebase article for more information.
// Temporary changes in modes are covered in <<{context}-selinux-states-and-modes>>.
Reference in a new issue View git blame Copy permalink