quick-docs/modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc
Luke Rawlins 7771e2155d Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc
Added sealert commands to search audit log, in place of /var/log/messages which may not be available on a default fedora installation.
2021-01-25 23:35:46 +00:00

60 lines
2.3 KiB
Text

// Module included in the following assemblies:
//
// changing-selinux-states-and-modes.adoc
[#{context}-changing-to-enforcing-mode]
= Changing to enforcing mode
When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.
.Procedure
. Check the current SELinux mode by using the [command]`getenforce` command:
+
[subs="quotes"]
----
$ *getenforce*
Permissive
----
+
If the command displays `Disabled`, then follow xref:{context}-enabling-selinux[]. If it displays `Permissive`, use the following steps to change mode to enforcing again:
. Edit the `/etc/selinux/config` file as follows:
+
[subs="quotes"]
----
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=*enforcing*
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
----
. Restart the system:
+
[subs="quotes"]
----
$ *reboot*
----
+
On the next boot, SELinux relabels all files and directories in the system and adds the SELinux context for files and directories that were created when SELinux was disabled.
[NOTE]
====
After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies:
[subs="quotes"]
----
$ *sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent*
----
Alternatively, with the [package]`setroubleshoot-server` package installed:
[subs="quotes"]
----
$ *sudo sealert -a /var/log/audit/audit.log*
----
If SELinux denies some actions, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux[Troubleshooting problems related to SELinux] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for information about troubleshooting.
====