Enabling and Disabling SELinux

Use the getenforce or sestatus commands to check the status of SELinux. The getenforce command returns Enforcing, Permissive, or Disabled.
The sestatus command returns the SELinux status and the SELinux policy being used:

~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

⁠5.4.1. Enabling SELinux

Important

If the system was initially installed without SELinux, particularly the selinux-policy package, which was added to the system later, one additional step is necessary to enable SELinux. To make sure SELinux is initialized during system startup, the dracut utility has to be run to put SELinux awareness into the initramfs file system. Failing to do so causes SELinux not to start during system startup.
On systems with SELinux disabled, the SELINUX=disabled option is configured in /etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
Also, the getenforce command returns Disabled:
~]$ getenforce
Disabled
To enable SELinux:
  1. Use the rpm -qa | grep selinux, rpm -q policycoreutils, and rpm -qa | grep setroubleshootcommands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils,policycoreutils, policycoreutils-python, setroubleshoot, setroubleshoot-server, setroubleshoot-plugins. If these packages are not installed, as the Linux root user, install them via the yum install package-namecommand. The following packages are optional: policycoreutils-gui, setroubleshoot, and mcstrans.
  2. Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in /etc/selinux/config:
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #       enforcing - SELinux security policy is enforced.
    #       permissive - SELinux prints warnings instead of enforcing.
    #       disabled - No SELinux policy is loaded.
    SELINUX=permissive
    # SELINUXTYPE= can take one of these two values:
    #       targeted - Targeted processes are protected,
    #       mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    
  3. As the Linux root user, run the reboot command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:
    *** Warning -- SELinux targeted policy relabel is required.
    *** Relabeling could take a very long time, depending on file
    *** system size and speed of hard drives.
    ****
    
    Each * (asterisk) character on the bottom line represents 1000 files that have been labeled. In the above example, four * characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
  4. In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to Chapter 8, Troubleshooting for troubleshooting information if SELinux denied access during boot.
  5. If there were no denial messages in /var/log/messages, configure SELINUX=enforcing in /etc/selinux/config:
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #       enforcing - SELinux security policy is enforced.
    #       permissive - SELinux prints warnings instead of enforcing.
    #       disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these two values:
    #       targeted - Targeted processes are protected,
    #       mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    
  6. Reboot your system. After reboot, confirm that getenforce returns Enforcing:
    ~]$ getenforce
    Enforcing
    
  7. As the Linux root user, run the semanage login -l command to view the mapping between SELinux and Linux users. The output should be as follows:
    Login Name                SELinux User              MLS/MCS Range
    
    __default__               unconfined_u              s0-s0:c0.c1023
    root                      unconfined_u              s0-s0:c0.c1023
    system_u                  system_u                  s0-s0:c0.c1023
    
If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the SELinux-user username is already defined warnings if they occur, where username can be unconfined_u, guest_u, or xguest_u:
  1. semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
  2. semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
  3. semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
  4. semanage user -a -S targeted -P user -R guest_r guest_u
  5. semanage user -a -S targeted -P user -R xguest_r xguest_u

Important

When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly. Also, files created while SELinux is disabled are not labeled. This causes problems when changing to enforcing mode. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from disabled mode to permissive or enforcing mode.

RHEL 6: semanage SELinux Command Not Found

by on MAY 13, 2011 · 14 COMMENTS· LAST UPDATED MAY 13, 2011

in

I‘m trying to use semanage command to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources under RHEL 6 server. But, I’m not able to find out this command and/or package name. How do I install semanage command under RedHat Enterprise Linux?

You need to use the yum command to find out which package provides file called /usr/sbin/semanage. Type the following command:
# yum provides /usr/sbin/semanage
OR
# yum whatprovides /usr/sbin/semanage
Sample outputs:

Loaded plugins: rhnplugin
policycoreutils-python-2.0.83-19.8.el6_0.x86_64 : SELinux policy core python utilities
Repo        : rhel-x86_64-server-6
Matched from:
Filename    : /usr/sbin/semanage
policycoreutils-python-2.0.83-19.1.el6.x86_64 : SELinux policy core python utilities
Repo        : rhel-x86_64-server-6
Matched from:
Filename    : /usr/sbin/semanage

Type the following command to install the same, enter:
# yum -y install policycoreutils-python
Sample outputs:

=============================================================================================================================================================================================================================================
Installing:
 policycoreutils-python                                         x86_64                                         2.0.83-19.8.el6_0                                          rhel-x86_64-server-6                                         334 k
Installing for dependencies:
 audit-libs-python                                              x86_64                                         2.0.4-1.el6                                                rhel-x86_64-server-6                                          56 k
 libselinux-python                                              x86_64                                         2.0.94-2.el6                                               rhel-x86_64-server-6                                         201 k
 libsemanage-python                                             x86_64                                         2.0.43-4.el6                                               rhel-x86_64-server-6                                          81 k
 setools-libs                                                   x86_64                                         3.3.7-4.el6                                                rhel-x86_64-server-6                                         400 k
 setools-libs-python                                            x86_64                                         3.3.7-4.el6                                                rhel-x86_64-server-6                                         222 k
Transaction Summary
=============================================================================================================================================================================================================================================
Install       6 Package(s)
Upgrade       0 Package(s)
Total download size: 1.3 M
Installed size: 0
Is this ok [y/N]: y
Downloading Packages:
(1/6): audit-libs-python-2.0.4-1.el6.x86_64.rpm                                                                                                                                                                       |  56 kB     00:00
(2/6): libselinux-python-2.0.94-2.el6.x86_64.rpm                                                                                                                                                                      | 201 kB     00:00
(3/6): libsemanage-python-2.0.43-4.el6.x86_64.rpm                                                                                                                                                                     |  81 kB     00:00
(4/6): policycoreutils-python-2.0.83-19.8.el6_0.x86_64.rpm                                                                                                                                                            | 334 kB     00:00
(5/6): setools-libs-3.3.7-4.el6.x86_64.rpm                                                                                                                                                                            | 400 kB     00:00
(6/6): setools-libs-python-3.3.7-4.el6.x86_64.rpm                                                                                                                                                                     | 222 kB     00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                        1.7 MB/s | 1.3 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : setools-libs-3.3.7-4.el6.x86_64                                                                                                                                                                                       1/6
  Installing     : setools-libs-python-3.3.7-4.el6.x86_64                                                                                                                                                                                2/6
  Installing     : libsemanage-python-2.0.43-4.el6.x86_64                                                                                                                                                                                3/6
  Installing     : audit-libs-python-2.0.4-1.el6.x86_64                                                                                                                                                                                  4/6
  Installing     : libselinux-python-2.0.94-2.el6.x86_64                                                                                                                                                                                 5/6
  Installing     : policycoreutils-python-2.0.83-19.8.el6_0.x86_64                                                                                                                                                                       6/6
Installed:
  policycoreutils-python.x86_64 0:2.0.83-19.8.el6_0
Dependency Installed:
  audit-libs-python.x86_64 0:2.0.4-1.el6         libselinux-python.x86_64 0:2.0.94-2.el6         libsemanage-python.x86_64 0:2.0.43-4.el6         setools-libs.x86_64 0:3.3.7-4.el6         setools-libs-python.x86_64 0:3.3.7-4.el6
Complete!

Now you can use semanage command:
# semanage
Sample outputs:

/usr/sbin/semanage:
semanage [ -S store ] -i [ input_file | - ]
semanage [ -S store ] -o [ output_file | - ]
semanage {boolean|login|user|port|interface|module|node|fcontext} -{l|D|E} [-n]
semanage login -{a|d|m} [-sr] login_name | %groupname
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
semanage interface -{a|d|m} [-tr] interface_spec
semanage module -{a|d|m} [--enable|--disable] module
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
semanage fcontext -{a|d|m} [-efrst] file_spec
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
semanage permissive -{d|a|l} type
semanage dontaudit [ on | off ]
Primary Options:
	-a, --add        Add a OBJECT record NAME
	-d, --delete     Delete a OBJECT record NAME
	-m, --modify     Modify a OBJECT record NAME
        -i, --input      Input multiple semange commands in a transaction
        -o, --output     Output current customizations as semange commands
	-l, --list       List the OBJECTS
	-E, --extract    extract customizable commands
	-C, --locallist  List OBJECTS local customizations
	-D, --deleteall  Remove all OBJECTS local customizations
	-h, --help       Display this message
	-n, --noheading  Do not print heading when listing OBJECTS
        -S, --store      Select and alternate SELinux store to manage
Object-specific Options (see above):
	-f, --ftype      File Type of OBJECT
		"" (all files)
		-- (regular file)
		-d (directory)
		-c (character device)
		-b (block device)
		-s (socket)
		-l (symbolic link)
		-p (named pipe)
        -F, --file       Treat target as an input file for command, change multiple settings
	-p, --proto      Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
	-M, --mask       Netmask
        -e, --equal      Substitue source path for dest path when labeling
	-P, --prefix     Prefix for home directory labeling
	-L, --level      Default SELinux Level (MLS/MCS Systems only)
	-R, --roles      SELinux Roles (ex: "sysadm_r staff_r")
	-s, --seuser     SELinux User Name
	-t, --type       SELinux Type for the object
	-r, --range      MLS/MCS Security Range (MLS/MCS Systems only)
        --enable         Enable a module
        --disable        Disable a module
Requires 2 or more arguments

See also:

You can also view the manual page on semanage using the following command:
$ man semanage

About This Author

I'm a software engineer with many years of experience, open source enthusiast, now I'm creating and contributing to awesome PHP web projects. I love coding as much as learning, and I enjoy trying new languages and patterns. My passion revolves around (but is not limited to) back-end development.

You are not signed in. Sign in to post comments.