SELINUX SECURITY: 
	selinux (how to see selinux context):
	# ls -Z
	# netstat -Z
	# ps -Z

Enabling or Disabling Enforcement

You can enable and disable SELinux enforcement at runtime or configure it to start in the correct mode at boot time, using the command line or GUI. SELinux can operate in one of three modes: disabled, meaning not enabled in the kernel; permissive, meaning SELinux is running and logging but not controlling permissions; or enforcing, meaning SELinux is running and enforcing policy.
Use the setenforce command to change between permissive and enforcing modes at runtime. Use setenforce 0 to enter permissive mode; use setenforce 1 to enter enforcing mode.
The sestatus command displays the current mode and the mode from the configuration file referenced during boot: 

	sestatus | grep -i mode 
	Current mode:           permissive 
	Mode from config file:  permissive


Note:
That changing the runtime enforcement does not affect the boot time configuration: 

	setenforce 1 
	sestatus | grep -i mode 
	Current mode:           enforcing 
	Mode from config file:  permissive

You can also disable enforcing mode for a single daemon. For example, if you are trying to troubleshoot the named daemon and SELinux, you can turn off enforcing for just that daemon.

 

Use the getsebool command to get the current status of the boolean: 

	[root@wtuto~]# getsebool named_disable_trans 
	named_disable_trans --> off

 

Use the following command to disable enforcing mode for this daemon: 

[root@wtuto ~]# setsebool named_disable_trans 1 
[root@wtuto ~]# getsebool named_disable_trans 
named_disable_trans --> on

 

Note

This sets the runtime value only. Use the -P option to make the change persistent across reboots.
Any *_disable_trans booleans that are set to "on" invoke the conditional that prevents the process from transitioning to the domain on execution.

 

Use the following command to find which of these booleans are set: 

getsebool -a | grep disable.*on 
httpd_disable_trans=1 
mysqld_disable_trans=1 
ntpd_disable_trans=1

 

You can set any number of boolean values using the setsebool command: 

setsebool -P httpd_disable_trans=1 mysqld_disable_trans=1 ntpd_disable_trans=1

 

You can also use togglesebool <boolean_name> to change the value of a specific boolean: 

[root@wtuto ~]# getsebool httpd_disable_trans 
httpd_disable_trans --> off 
[root@wtuto ~]# togglesebool httpd_disable_trans 
httpd_disable_trans: active  
You can configure all of these settings using system-config-selinux.  
The same configuration files are used, so changes appear bidirectionally.
Connect With Us
Instant Query
Your Name :
Email Address :
Message :
Email: info@wtuto.com
Copyright © wtuto.com