quick-docs/modules/ROOT/partialsdelete/2delete-proc_enabling-selinux.adoc

72 lines
2.5 KiB
Text

// Module included in the following assemblies:
//
// changing-selinux-states-and-modes.adoc
[#{context}-enabling-selinux]
= Enabling SELinux
When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.
While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure.
.Prerequisites
* The [package]`selinux-policy-targeted`, [package]`selinux-policy`, [package]`libselinux-utils`, and [package]`grubby` packages are installed. To check that a particular package is installed:
+
[subs="quotes"]
----
$ *rpm -q _package_name_*
----
.Procedure
. If your system has SELinux disabled at the kernel level (this is the recommended way, see xref:{context}-disabling-selinux[]), change this first. Check if you have the `selinux=0` option in your kernel command line:
+
[subs="quotes"]
----
$ *cat /proc/cmdline*
BOOT_IMAGE=... ... selinux=0
----
.. Remove the `selinux=0` option from the bootloader configuration using [command]`grubby`:
+
[subs="quotes"]
----
$ *sudo grubby --update-kernel ALL --remove-args selinux*
----
.. The change applies after you restart the system in one of the following steps.
. Ensure the file system is relabeled on the next boot:
+
[subs="quotes"]
----
$ *sudo fixfiles onboot*
----
. Enable SELinux in permissive mode. For more information, see xref:{context}-changing-to-permissive-mode[].
. Restart your system:
+
[subs="quotes"]
----
$ *reboot*
----
. Check for SELinux denial messages.
+
[subs="quotes"]
----
$ *sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent*
----
. If there are no denials, switch to enforcing mode. For more information, see xref:{context}-changing-to-enforcing-mode[].
To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:
* Run your application in the `unconfined_service_t` domain.
// See <<Targeted_Policy-Unconfined_Processes>> for more information.
* Write a new policy for your application. See the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux[Writing a custom SELinux policy] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for more information.
// Temporary changes in modes are covered in <<{context}-selinux-states-and-modes>>.