Set enforcing and permissive modes for SELinux

SELinux is a mandatory access control system designed for Linux. Troubleshooting SELinux can be complex but knowing how to place it in permissive mode while acquiring logs of SELinux policy violations for troubleshooting purposes will save a great deal of time.

- Before we can talk about SELinux security context, we need to cover a few terms first. SELinux is a mandatory access control system, which is layered over the top of the built in discretionary access control. Mandatory access control provides a system wide list of rules that determines access control without regard to ownership. Discretionary access control, however, is based off of who owns a resource. If they own it, they get to determine who gets to access it. It's at the owner's discretion. A subject is a user or process.

An object is a resource such as a file, directory, device, pipe or other. Access is the action performed by the subject on an object such as read, write or create. The security policy is the system-wide set of rules defining what the subjects can do to the objects. There are two policies to choose from at Enterprise Linux - targeted and strict. Targeted is the default. The security context or label is the tags that SELinux stores for subjects and objects. All subjects and objects will have a security context.

Type enforcement is the default type of mandatory access control used on Enterprise Linux. There's also role based access control and multi level security, all of which are part of SELinux. In type enforcement, all subjects and objects belong to groups called types. Roles in the security policy determine which types can access other types. SELinux has several operating modes. Enforcing mode, where security policy is being enforced. Permissive mode, where the policy is consulted and messages are printed, but the policy is not enforced.

And lastly, disabled, which is just that; SELinux is turned off and no mandatory access control system is in place. I do not recommend turning SELinux off. Note that there are times when having SELinux set to permissive mode still denies a subject access to an object, but usually that's not a problem. Let's start by getting the current SELinux mode. Type into a terminal: sestatus and hit enter. This shows we're using the targeted policy and is being enforced. Another command that we can use to get this information is getenforce.

We can alter the SELinux mode in real time by using setenforce. Type in sudo, space, setenforce space, permissive, and hit enter. We can verify this by using getenforce. We can now see that we're in permissive mode. This change, however, is temporary and if we want it to survive a reboot we'd have to edit the slash etc slash selinux slash config file and reboot. Type in sudo, space, vi, space, slash etc slash selinux slash config, then hit enter.

If we wanted to change SELinux into permissive mode, we'd change SELinux equals enforcing to SELinux equals permissive. Then, we'd save the file and reboot the system. I'm going to keep mine in enforcing mode and just leave the editor. Also, if you want to disable SELinux altogether, it cannot be done live. This configuration file needs to be edited and the system has to be rebooted.

Resume Transcript Auto-Scroll

Author

Grant McWilliams

Skill Level Intermediate

6h 23m

Duration

134,816

Views

Show More Show Less

Related Courses

Introduction
- Welcome
  57s
- What you should know
  3m 45s
- About Red Hat Certifications
  2m 52s
- Exercise files for this course
  1m 3s
1. Deploy Systems
- Create a bootable CentOS 7 live USB drive on Windows
  2m 48s
- Install Red Hat Enterprise Linux on a physical machine
  6m 15s
- Virtualization on Enterprise Linux
  6m 17s
- Prepare the host for virtualization
  2m 29s
- Install Linux interactively in a guest virtual machine (VM)
  5m 57s
- Use kickstart files to automate installs
  5m 56s
- Install Linux unattended in a guest VM
  3m 36s
- Configure VM virtual graphics cards and terminals
  4m 18s
- Configure VMs to communicate with each other
  1m 16s
- Managing virtual machines
  6m 42s
- Before you go further - VM checklist
  1m 15s
2. System Config and Services
- Understand the Linux boot process
  2m 16s
- Boot into the emergency target
  6m 15s
- Introduction to systemd services
  2m 32s
- Get systemd service status
  3m 56s
- Manage systemd services
  2m 33s
- Make systemd services persistent
  1m 40s
- Configure networking
  3m 52s
- Configure a system to use network time protocol
  5m 17s
- Manage one-time jobs with at
  4m 16s
- Manage reoccurring user jobs with cron
  5m 33s
- Manage reoccurring system jobs with cron
  4m 13s
- Limiting access to at and cron
  3m 41s
3. Essential Tools
- Use input-output redirection (>, >>, |, 2>, and more)
  5m 2s
- Use grep and regular expressions to analyze text
  5m 16s
- Archive files using tar
  4m 40s
- Compress files and archives
  4m 14s
- Create files and directories
  5m 18s
- Copy files and directories
  5m 48s
- Move files and directories
  4m 59s
- Remove files and directories
  6m 2s
- Create hard and soft links
  4m 55s
- Introduction to vim
  3m 33s
- Editing text with vim
  2m 45s
- Locate, read, and use system documentation
  5m 16s
- Locate and interpret system log files
  5m 4s
- Reading the system journal
  3m 26s
4. Manage System Software
- Install from a software repository
  3m 9s
- Linux repository management systems
  2m 43s
- Query with RPM
  7m 14s
- RPM query formatting
  6m 5s
- Overview of yum
  2m 20s
- Select yum packages by name
  4m 1s
- Get info on packages with yum
  5m 47s
- Get info on package groups
  5m 15s
- Search for packages
  1m 47s
- Install and remove packages
  6m 59s
- Install and remove package groups
  5m 42s
- Manage OS updates
  6m 48s
- Update the kernel
  4m 29s
- Manage kernel modules
  5m 18s
5. Users and Accounts
- Create and delete local user accounts
  4m 27s
- Modify local user accounts
  4m 57s
- Change passwords and adjust password aging for local user accounts
  3m 45s
- Manage aging for local user accounts
  7m 4s
- Create, delete, and modify local groups and group memberships
  2m 35s
- Log in and switch users in multiuser targets
  2m 27s
- Elevating privileges using sudo
  3m 28s
6. File Access Control
- File and directory modes
  1m 19s
- Change file and directory ownership
  4m 34s
- Set permissions using numeric mode
  3m 13s
- Set permissions using symbolic mode
  5m 16s
- Default permissions using umask
  5m 50s
- Special file bits: SUID and SGID
  3m 49s
- Special directory bits: SGID and sticky
  6m 26s
- Read access control lists
  3m 36s
- Set access control lists
  5m 49s
- Configure inheritance with default access control Lists
  4m 27s
- Delete access control Lists
  4m 15s
7. Manage Security
- Set enforcing and permissive modes for SELinux
  3m 9s
- List and identify SELinux file and process context
  3m 46s
- Restore SELinux default file contexts
  4m 40s
- Use Booleans to modify SELinux behavior
  2m 43s
- Diagnose routine SELinux policy violations
  5m 34s
- Maintaining security context when managing files
  1m 3s
- Manage firewalls
  3m 15s
8. Accessing Linux Remotely
- Configure Secure Shell
  2m 36s
- Configure key-based authentication for SSH
  3m 22s
- Securely transfer files between systems
  5m 23s
- Access Linux from Windows using PuTTY
  2m 52s
- Access Linux from MacOS or Linux using SSH
  57s
- Access Linux from iOS using SSH
  1m 52s
- Access Linux from Android using SSH
  1m 34s
9. Configure Local Storage
- List, create, and delete partitions on MBR and GPT disks
  4m 50s
- Manage LVM volumes and volume groups
  8m 15s
- Mount file systems at boot by ID or label
  6m 41s
- Extend existing logical volumes
  4m 15s
- Mount and unmount CIFS and NFS network file systems
  2m 53s
Conclusion
- Next steps
  1m 20s

Show MoreShow Less

Take notes with your new membership!

Type in the entry box, then click Enter to save your note.

1:30Press on any video thumbnail to jump immediately to the timecode shown.

Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.

Start My Free Month

Skills covered in this course

Categories

3D + Animation Topics

3D + Animation Software

3D + Animation Learning Paths

Audio + Music Topics

Audio + Music Software

Audio + Music Learning Paths

Business Topics

Business Software

Business Learning Paths

Business Guides

CAD Topics

CAD Software

CAD Learning Paths

Design Topics

Design Software

Design Learning Paths

Developer Topics

Developer Software

Developer Learning Paths

Education + Elearning Topics

Education + Elearning Software

Education + Elearning Learning Paths

IT Topics

IT Software

IT Learning Paths

Marketing Topics

Marketing Software

Marketing Learning Paths

Photography Topics

Photography Software

Photography Learning Paths

Video Topics

Video Software

Video Learning Paths

Web Topics

Web Software

Web Learning Paths

Web Guides

Set enforcing and permissive modes for SELinux

Author

Skill Level Intermediate

Duration

Views

Related Courses

Setting up a Red Hat Enterprise Linux Server

Linux: Overview and Installation

Linux: Desktops and Remote Access

Linux: System Information and Directory Structure Tools

Introduction

1. Deploy Systems

2. System Config and Services

3. Essential Tools

4. Manage System Software

5. Users and Accounts

6. File Access Control

7. Manage Security

8. Accessing Linux Remotely

9. Configure Local Storage

Conclusion

Take notes with your new membership!

Skills covered in this course

Continue Assessment

Start My Free Month