Security Enhanced Linux
Is SELinux "enforcing"...
getenforce
More info...
sestatus
What will mode be after reboot...
grep ^SELINUX= /etc/selinux/config
To see SELinux attributes of a file...
ls -hlZa myfile
The semanage utility is often not installed by default. To install use...
yum install policycoreutils-python-utils
SELinux is enabled by default in Red Hat Enterprise Linux, CentOS and Oracle Enterprise Linux (among others). It can be in one of three modes...
Enforcing
Permissive
Disabled
To change mode to "enforcing"...
setenforce 1
To make the change permanent (i.e. survive a reboot) use one of these (dependant on current mode)...
sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
Changing from disabled to any other mode will need a rebootTo change mode to "permissive"...
setenforce 0
To make the change permanent (i.e. survive a reboot) use one of these (dependant on current mode)...
sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config
Changing from disabled to any other mode will need a rebootTo permanently disable (i.e. survive a reboot) SELinux, use one of these (dependant on current mode)...
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
sed -i 's/SELINUX=permissive/SELINUX=disabled/' /etc/selinux/config
Changing from any mode to "disabled" will need a rebootThe command below can be useful for diagnosing permission errors related to SELinux...
cat /var/log/audit/audit.log | audit2allow -w -a
Login mappings between linux users and SELinux confined users
SELinux confined users (Roles and levels for an SELinux user)
Network port type definitions
semanage port -l
semanage port -l | grep mysql
semanage port -a -t mysqld_port_t -p tcp 6446
semanage port -d -t mysqld_port_t -p tcp 6446
File context mapping definitions
semanage fcontext -l
semanage fcontext -l | grep mysql
The example below adds some hidden files to the file context mapping definitions. ...
semanage fcontext -a -t mysqld_db_t '/var/lib/mysql(/.aaa.*)?'
restorecon -v /var/lib/mysql/.aaa.*
restorecon restores the default SELinux security contexts for a file. The -v flag shows the changes.Booleans to selectively enable functionality