SELinux – when installed – can take on one of three modes:
- Enforcing
- Permissive
- Disabled
To check which mode SELinux is running on, we can use either sestatus for a more detailed output, or simply getenforce for a one liner:
sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
getenforce on the other hand will literally just say a single word, like “Enforcing”.
To change this mode, edit /etc/selinux/config:
vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Change the file according to the comments and restart the system for the changes to take effect.
Find out more about SELinux and what it’s good for here:
- https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts
- http://wiki.centos.org/HowTos/SELinux