|
Enabling SELinux
|
|
|
When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes.
|
|
|
While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure.
|
|
|
Prerequisites
|
|
|
The [package]`selinux-policy-targeted`, [package]`selinux-policy`, [package]`libselinux-utils`, and [package]`grubby` packages are installed. To check that a particular package is installed:
|
|
|
$ *rpm -q _package_name_*
|
|
|
Procedure
|
|
|
If your system has SELinux disabled at the kernel level (this is the recommended way, see xref:{context}-disabling-selinux[]), change this first. Check if you have the `selinux=0` option in your kernel command line:
|
|
|
$ *cat /proc/cmdline* BOOT_IMAGE=... ... selinux=0
|
|
|
Remove the `selinux=0` option from the bootloader configuration using [command]`grubby`:
|
|
|
$ *sudo grubby --update-kernel ALL --remove-args selinux*
|
|
|
The change applies after you restart the system in one of the following steps.
|
|
|
Ensure the file system is relabeled on the next boot:
|
|
|
$ *sudo fixfiles onboot*
|
|
|
Enable SELinux in permissive mode. For more information, see xref:{context}-changing-to-permissive-mode[].
|
|
|
Restart your system:
|
|
|
$ *reboot*
|
|
|
Check for SELinux denial messages.
|
|
|
$ *sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent*
|
|
|
If there are no denials, switch to enforcing mode. For more information, see link:{context}-changing-to-enforcing-mode[].
|
|