Quick Tip: Easily Set SELinux Enforcement Levels in CentOS 6

This post, like any other dealing with altering a security mechanism, should (and will) begin with a warning to NOT do this in a production environment. Obligatory bold warning text:
SELinux is a major security component in any RHEL-based Linux distribution and should never be disabled in a production environment without extensive consideration and forethought as it can seriously compromise system security. It’s best practice to work with an application vendor to ensure the application works with SELinux if it’s going to be placed in production. Now we return to the regularly scheduled Blog post.

SELinux is a very robust security mechanism found in CentOS Linux 6 and other RHEL bashed Linux distributions, but it sometimes causes some strange behavior when installing new software or making extensive configuration changes. As such, it’s often useful to quickly switch between SELinux enforcement levels to test a software installation or system configuration change. SELinux has three enforcement levels:

▪   Enforcing – Just as the name implies, this enforcement level enforces security and access policies around both files and processes.

▪   Permissive – This enforcement level allows operations that would otherwise be blocked by SELinux security policies and logs a message to /var/log/audit/audit.log indicating which operations would have been blocked. It is important to note that the mechanism that labels files and processes according to SELinux policies is still active in this enforcement mode.

▪   Disabled – This enforcement mode completely disables SELinux permitting all operations and disabling logging and file/process labeling.

Now that we know a bit about the various enforcement levels let’s discuss how to quickly switch between them. Before switching to another SELinux enforcement level it would be helpful to know which enforcement level a system is currently running under. To determine the current SELinux enforcement level, run the following command:

[code language=”BASH”]cat /selinux/enforce[/code]

The output of this command will be a 0 or 1 with 0 indicating SELinux is currently operating in Permissive mode and 1 indicating Enforcing mode. To quickly switch between enforcement levels you can use the setenforce command with the desired enforcement level indicated by a 0 or 1. In the following example the SELinux enforcement policy is set to Permissive using the setenforce command:

[code language=”BASH”]setenforce 0[/code]

You’ll notice that we haven’t discussed how to completely disable SELinux. That’s because you must edit the /etc/selinux/config file to completely disable SELinux and cannot do so via the setenfroce command, thus that particular operation is outside the scope of this brief tutorial.

Leave a Reply

Your email address will not be published. Required fields are marked *