Set enforcing and permissive modes for SELinux

- Before we can talk about SELinux security context, we need to cover a few terms first. SELinux is a mandatory access control system, which is layered over the top of the built in discretionary access control. Mandatory access control provides a system wide list of rules that determines access control without regard to ownership. Discretionary access control, however, is based off of who owns a resource. If they own it, they get to determine who gets to access it. It's at the owner's discretion. A subject is a user or process.

An object is a resource such as a file, directory, device, pipe or other. Access is the action performed by the subject on an object such as read, write or create. The security policy is the system-wide set of rules defining what the subjects can do to the objects. There are two policies to choose from at Enterprise Linux - targeted and strict. Targeted is the default. The security context or label is the tags that SELinux stores for subjects and objects. All subjects and objects will have a security context.

Type enforcement is the default type of mandatory access control used on Enterprise Linux. There's also role based access control and multi level security, all of which are part of SELinux. In type enforcement, all subjects and objects belong to groups called types. Roles in the security policy determine which types can access other types. SELinux has several operating modes. Enforcing mode, where security policy is being enforced. Permissive mode, where the policy is consulted and messages are printed, but the policy is not enforced.

And lastly, disabled, which is just that; SELinux is turned off and no mandatory access control system is in place. I do not recommend turning SELinux off. Note that there are times when having SELinux set to permissive mode still denies a subject access to an object, but usually that's not a problem. Let's start by getting the current SELinux mode. Type into a terminal: sestatus and hit enter. This shows we're using the targeted policy and is being enforced. Another command that we can use to get this information is getenforce.

We can alter the SELinux mode in real time by using setenforce. Type in sudo, space, setenforce space, permissive, and hit enter. We can verify this by using getenforce. We can now see that we're in permissive mode. This change, however, is temporary and if we want it to survive a reboot we'd have to edit the slash etc slash selinux slash config file and reboot. Type in sudo, space, vi, space, slash etc slash selinux slash config, then hit enter.

If we wanted to change SELinux into permissive mode, we'd change SELinux equals enforcing to SELinux equals permissive. Then, we'd save the file and reboot the system. I'm going to keep mine in enforcing mode and just leave the editor. Also, if you want to disable SELinux altogether, it cannot be done live. This configuration file needs to be edited and the system has to be rebooted.