JoshuaBrindle at 18:45, 19 November 2009

2009-11-19T18:45:18Z

←Older revision		Revision as of 18:45, 19 November 2009
Line 1:		Line 1:
	== Mode ==		== Mode ==

-	There are 3 modes: ~~<tt>~~enforcing~~</tt>~~, ~~<tt>~~permissive~~</tt>~~, and ~~<tt>~~disabled~~</tt>~~.	+	There are 3 modes: ''enforcing'', ''permissive'', and ''disabled''.

-	In ~~<tt>~~enforcing~~</tt>~~ mode SELinux policy will be enforced and is most useful in production systems. In ~~<tt>~~permissive~~</tt>~~ mode SELinux will not enforce policy, but will log any denials. ~~<tt>~~permissive~~</tt>~~ mode is used for debugging and policy development. In ~~<tt>~~disabled~~</tt>~~ mode SELinux policy will not be enforced (or logged).	+	In ''enforcing'' mode SELinux policy will be enforced and is most useful in production systems. In ''permissive'' mode SELinux will not enforce policy, but will log any denials. ''permissive'' mode is used for debugging and policy development. In ''disabled'' mode SELinux policy will not be enforced (or logged).

-	It is not recommended to set an SELinux system into ~~<tt>~~disabled~~</tt>~~ mode. Doing so will almost certainly result in files on disk being mislabeled and require a relabel to fix. It is also not possible to change the mode of the system when it has been booted in ~~<tt>~~disabled~~</tt>~~ mode. It is best to set selinux into ~~<tt>~~permissive~~</tt>~~ mode instead.	+	It is not recommended to set an SELinux system into ''disabled'' mode. Doing so will almost certainly result in files on disk being mislabeled and require a relabel to fix. It is also not possible to change the mode of the system when it has been booted in ''disabled'' mode. It is best to set selinux into ''permissive'' mode instead.

	The mode may be changed in the boot loader, selinux config, and at runtime with setenforce.		The mode may be changed in the boot loader, selinux config, and at runtime with setenforce.
Line 15:		Line 15:
	In /boot/grub/menu.lst, find a line similar to this:		In /boot/grub/menu.lst, find a line similar to this:

-	~~<pre>~~	+	kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=1
-	kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=1	+
-	~~</pre>~~	+

	An additional parameter 'enforcing=[0\|1]' can be passed to set the mode:		An additional parameter 'enforcing=[0\|1]' can be passed to set the mode:

-	<pre>
-	kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=1 enforcing=0
-	</pre>

-	In the example above the mode has been set to 'enforcing=0' (which means ~~<tt>~~permissive~~</tt>~~).	+	kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=1 enforcing=0
		+
		+
		+	In the example above the mode has been set to 'enforcing=0' (which means ''permissive'').

	SELinux may be disabled by changing 'selinux=1' to 'selinux=0'		SELinux may be disabled by changing 'selinux=1' to 'selinux=0'

-	~~<pre>~~	+
-	kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=0	+	kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=0
-	~~</pre>~~	+

	Setting the mode at the command line overrides the setting in the selinux config /etc/selinux/config.		Setting the mode at the command line overrides the setting in the selinux config /etc/selinux/config.
Line 37:		Line 36:
	=== SELinux Config ===		=== SELinux Config ===

-	The SELinux config file is /etc/selinux/config:	+	The SELinux config file is ''/etc/selinux/config'':

-	<pre>
-	# This file controls the state of SELinux on the system.
-	# SELINUX= can take one of these three values:
-	# enforcing - SELinux security policy is enforced.
-	# permissive - SELinux prints warnings instead of enforcing.
-	# disabled - No SELinux policy is loaded.
-	SELINUX=permissive

-	# ~~SELINUXTYPE~~= can take one of these ~~two~~ values:	+	# This file controls the state of SELinux on the system.
-	# ~~default~~ - ~~equivalent to the old strict and targeted policies~~	+	# SELINUX= can take one of these three values:
-	# ~~mls~~ - ~~Multi-Level Security (for military and educational use)~~	+	# enforcing - SELinux security policy is enforced.
-	# ~~src~~ - ~~Custom~~ policy ~~built from source~~	+	# permissive - SELinux prints warnings instead of enforcing.
-	~~SELINUXTYPE~~=~~ubuntu~~	+	# disabled - No SELinux policy is loaded.
		+	SELINUX=permissive

-	# ~~SETLOCALDEFS~~= ~~Check local definition changes~~	+	# SELINUXTYPE= can take one of these two values:
-	~~SETLOCALDEFS=0~~	+	# default - equivalent to the old strict and targeted policies
-	~~</pre>~~	+	# mls - Multi-Level Security (for military and educational use)
		+	# src - Custom policy built from source
		+	SELINUXTYPE=ubuntu

-	The mode can be changed by setting SELINUX to either ~~<tt>~~enforcing~~</tt>~~, ~~<tt>~~permissive~~</tt>~~, or ~~<tt>~~disabled~~</tt>~~.	+	# SETLOCALDEFS= Check local definition changes
		+	SETLOCALDEFS=0
		+
		+
		+	The mode can be changed by setting SELINUX to either ''enforcing'', ''permissive'', or ''disabled''.

	Mode set in the boot loader overrides the settings in this file.		Mode set in the boot loader overrides the settings in this file.
Line 63:		Line 62:
	=== Runtime ===		=== Runtime ===

-	The mode can be changed between ~~<tt>~~enforcing~~</tt>~~ and ~~<tt>~~permissive~~</tt>~~ at runtime via the setenforce command:	+	The mode can be changed between ''enforcing'' and ''permissive'' at runtime via the setenforce command:
		+

-	~~<pre>~~	+	# getenforce
-	$ getenforce	+	Permissive
-	Permissive	+	# setenforce 1
-	$ setenforce 1	+	# getenforce
-	$ getenforce	+	Enforcing
-	Enforcing	+	# setenforce 0
-	$ setenforce 0	+	# getenforce
-	$ getenforce	+	Permissive
-	Permissive	+
-	~~</pre>~~	+

CalebCase: New page: == Mode == There are 3 modes: `enforcing`, `permissive`, and `disabled`. In `enforcing` mode SELinux policy will be enforced and is most useful in production ...

2009-06-26T14:03:57Z

New page: == Mode == There are 3 modes: <tt>enforcing</tt>, <tt>permissive</tt>, and <tt>disabled</tt>. In <tt>enforcing</tt> mode SELinux policy will be enforced and is most useful in production ...

New page

== Mode ==

There are 3 modes: <tt>enforcing</tt>, <tt>permissive</tt>, and <tt>disabled</tt>.

In <tt>enforcing</tt> mode SELinux policy will be enforced and is most useful in production systems. In <tt>permissive</tt> mode SELinux will not enforce policy, but will log any denials. <tt>permissive</tt> mode is used for debugging and policy development. In <tt>disabled</tt> mode SELinux policy will not be enforced (or logged).

It is not recommended to set an SELinux system into <tt>disabled</tt> mode. Doing so will almost certainly result in files on disk being mislabeled and require a relabel to fix. It is also not possible to change the mode of the system when it has been booted in <tt>disabled</tt> mode. It is best to set selinux into <tt>permissive</tt> mode instead.

The mode may be changed in the boot loader, selinux config, and at runtime with setenforce.

=== Grub ===

==== Ubuntu ====

In /boot/grub/menu.lst, find a line similar to this:

<pre>
kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=1
</pre>

An additional parameter 'enforcing=[0|1]' can be passed to set the mode:

<pre>
kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=1 enforcing=0
</pre>

In the example above the mode has been set to 'enforcing=0' (which means <tt>permissive</tt>).

SELinux may be disabled by changing 'selinux=1' to 'selinux=0'

<pre>
kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=0
</pre>

Setting the mode at the command line overrides the setting in the selinux config /etc/selinux/config.

=== SELinux Config ===

The SELinux config file is /etc/selinux/config:

<pre>
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls - Multi-Level Security (for military and educational use)
# src - Custom policy built from source
SELINUXTYPE=ubuntu

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
</pre>

The mode can be changed by setting SELINUX to either <tt>enforcing</tt>, <tt>permissive</tt>, or <tt>disabled</tt>.

Mode set in the boot loader overrides the settings in this file.

=== Runtime ===

The mode can be changed between <tt>enforcing</tt> and <tt>permissive</tt> at runtime via the setenforce command:

<pre>
$ getenforce
Permissive
$ setenforce 1
$ getenforce
Enforcing
$ setenforce 0
$ getenforce
Permissive
</pre>

Guide/Mode - Revision history

JoshuaBrindle at 18:45, 19 November 2009

CalebCase: New page: == Mode == There are 3 modes: enforcing, permissive, and disabled. In enforcing mode SELinux policy will be enforced and is most useful in production ...

CalebCase: New page: == Mode == There are 3 modes: `enforcing`, `permissive`, and `disabled`. In `enforcing` mode SELinux policy will be enforced and is most useful in production ...