Centos 7 - How to selinux
A quick guide, how to use selinux with Centos 7.
Confirm the current status of SELinux like follows:
Default mode is "Enforcing":
# display current mode getenforce
# enforcing ⇒ SELinux is enabled (default) # permissive ⇒ MAC is not enabled, but only records audit logs according to Policies # disabled ⇒ SELinux is disabled # possible to display with the command, too ("Current mode" line) sestatus
It's possible to switch current mode between permissive ⇐⇒ enforcing with setenforce command. But if System is restarted, the mode returns to default.
# switch to "Permissive" with "setenforce 0" setenforce 0 getenforce
# switch to "Enforcing" with "setenforce 1" setenforce 1 getenforce
If you'd like to change Operating Mode permanently, change value in Configuration file.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # change value you'd like to set SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted # restart to apply changing reboot
If you change the Operating Mode from "Disabled" to "Enforcing/Permissive", it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in "Disabled" mode, they are not labeled with SELinux Contexts, it needs to label to them, too.
# set re-labeling like follows, then it will be done on next system restarting touch /.autorelabel reboot
Add / remove port with semanage (see man semanage-port)
# need to install policycoreutils-python yum provides /usr/sbin/semanage yum -y install policycoreutils-python
# to see what port is in use (example with ssh) semanage port -l | grep ssh
# to allow to listen port (ex 2289) semanage port -a -t ssh_port_t -p tcp 2289
# to disallow to listen port (ex2289) semanage port -d -t ssh_port_t -p tcp 2289