Chapter 5. Controlling and Maintaining SELinux
67
5.2.9. Enable or Disable SELinux
Important
Changes you make to files while SELinux is disabled may give them an unexpected security label,
and new files do not have a label. You may need to relabel part or all of the file system after enabling
SELinux again.
From the command line, you can edit the file
/etc/sysconfig/selinux
. You'll notice the file is
a symlink to
/etc/selinux/config
. The configuration file is self explanatory. Changing the value
of SELINUX= or SELINUXTYPE= changes the state of SELinux and the name of the policy to be
used upon the next system boot.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#
enforcing   SELinux security policy is enforced.
#
permissive   SELinux prints warnings instead of enforcing.
#
disabled   SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#
targeted   Only targeted network daemons are protected.
#
strict   Full SELinux protection.
SELINUXTYPE=targeted
Using system config securitylevel in the SELinux tab, uncheck Enabled (Modification Requires
Reboot), click OK to accept the changes, then reboot. This immediately changes the setting in
/etc/sysconfig/selinux
.
5.2.10. Change the Policy
If you are interested in customizing the policy, read Chapter 8 Customizing and Writing Policy. If
you have a different policy that you wish to load on your system, such as a strict or other specialized
policy, you only need to set SELINUXTYPE=policyname, where policyname is the same as the
directory
/etc/selinux/policyname
. This presumes you have the custom policy installed, which
is also covered in Chapter 8 Customizing and Writing Policy, as well as troubleshooting steps to get
a custom policy working on a different system. After changing the SELINUXTYPE parameter, you
want to
touch /.autorelabel
and reboot the system.
To use system config securitylevel to switch the policy, in the SELinux tab there is a drop down
menu Policy Type:. It is set to targeted and your custom policy appears there as policyname once
the directory structure is in
/etc/selinux
. Click OK to accept the changes and reboot the system.
5.2.11. Troubleshoot User Problems With SELinux
This presents a brief methodology for troubleshooting problems that your users might have with
SELinux.
1. Deciphering the denial message is the first step in troubleshooting. Read Section 2.8.1 Under 
standing an
avc: denied
Message for how to do that. You might want to use seaudit if there
are a large number of AVC audit messages. You can read more about seaudit in Section 6.2 Using
seaudit for Audit Log Analysis. Here are the questions you want answered:
What is the process that is being blocked? You can find its context from the
scontext=
portion
of the message.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved