mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-10-18 17:26:29 +00:00
72 lines
2.5 KiB
Text
72 lines
2.5 KiB
Text
// Module included in the following assemblies:
|
|
//
|
|
// changing-selinux-states-and-modes.adoc
|
|
|
|
[#{context}-enabling-selinux]
|
|
= Enabling SELinux
|
|
|
|
When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.
|
|
|
|
While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure.
|
|
|
|
.Prerequisites
|
|
|
|
* The [package]`selinux-policy-targeted`, [package]`selinux-policy`, [package]`libselinux-utils`, and [package]`grubby` packages are installed. To check that a particular package is installed:
|
|
+
|
|
[subs="quotes"]
|
|
----
|
|
$ *rpm -q _package_name_*
|
|
----
|
|
|
|
.Procedure
|
|
|
|
. If your system has SELinux disabled at the kernel level (this is the recommended way, see xref:{context}-disabling-selinux[]), change this first. Check if you have the `selinux=0` option in your kernel command line:
|
|
+
|
|
[subs="quotes"]
|
|
----
|
|
$ *cat /proc/cmdline*
|
|
BOOT_IMAGE=... ... selinux=0
|
|
----
|
|
|
|
.. Remove the `selinux=0` option from the bootloader configuration using [command]`grubby`:
|
|
+
|
|
[subs="quotes"]
|
|
----
|
|
$ *sudo grubby --update-kernel ALL --remove-args selinux*
|
|
----
|
|
|
|
.. The change applies after you restart the system in one of the following steps.
|
|
|
|
. Ensure the file system is relabeled on the next boot:
|
|
+
|
|
[subs="quotes"]
|
|
----
|
|
$ *sudo fixfiles onboot*
|
|
----
|
|
|
|
. Enable SELinux in permissive mode. For more information, see xref:{context}-changing-to-permissive-mode[].
|
|
|
|
. Restart your system:
|
|
+
|
|
[subs="quotes"]
|
|
----
|
|
$ *reboot*
|
|
----
|
|
|
|
. Check for SELinux denial messages.
|
|
+
|
|
[subs="quotes"]
|
|
----
|
|
$ *sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent*
|
|
----
|
|
|
|
. If there are no denials, switch to enforcing mode. For more information, see xref:{context}-changing-to-enforcing-mode[].
|
|
|
|
To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:
|
|
|
|
* Run your application in the `unconfined_service_t` domain.
|
|
// See <<Targeted_Policy-Unconfined_Processes>> for more information.
|
|
|
|
* Write a new policy for your application. See the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux[Writing a custom SELinux policy] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for more information.
|
|
|
|
// Temporary changes in modes are covered in <<{context}-selinux-states-and-modes>>.
|