Skip to main content

SELinux : Operating Mode

 This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux).

It's possible to use MAC (Mandatory Access Control) feature on CentOS for various resources by SELinux.

[1]. Confirm the current status of SELinux like follows. (default mode is [Enforcing])

# display current mode

[root@dlp ~]# getenforce

Enforcing

# enforcing   ⇒  SELinux is enabled (default)

# permissive  ⇒  MAC is not enabled, but only records audit logs according to Policies

# disabled    ⇒  SELinux is disabled


# also possible to display with the command ([Current mode] line)

[root@dlp ~]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   enforcing

Mode from config file:          enforcing

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Memory protection checking:     actual (secure)

Max kernel policy version:      31

[2]. It's possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command.

But if CentOS System is restarted, the mode returns to default.

[root@dlp ~]# getenforce

Enforcing

# switch to [Permissive] with [setenforce 0]

[root@dlp ~]# setenforce 0

[root@dlp ~]# getenforce

Permissive

# switch to [Enforcing] with [setenforce 1]

[root@dlp ~]# setenforce 1

[root@dlp ~]# getenforce

Enforcing

[3]. If you'd like to change Operating Mode permanently, change value in Configuration file.

[root@dlp ~]# vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

# change value you'd like to set

SELINUX=enforcing

# SELINUXTYPE= can take one of these three values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted


# restart to apply change

[root@dlp ~]# reboot

[4]. If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too.

# set re-labeling like follows, then it will be set on next system booting

[root@dlp ~]# touch /.autorelabel

[root@dlp ~]# reboot

Comments

Popular posts from this blog

Lambda Function with Amazon SNS

  Amazon SNS is a service used for push notification. In this chapter, we will explain working of AWS Lambda and Amazon SNS with the help of an example where will perform the following actions − Create Topic in SNS Service and use AWS Lambda Add Topics to CloudWatch Send SNS text message on phone number given. Requisites To create Topic in SNS Service and use AWS Lambda Add Topics to CloudWatch, we need not follow the steps given below − Create Topic in SNS Create Role for permission in IAM Create AWS Lambda Function Publish to topic to activate trigger Check the message details in CloudWatch service. To send SNS text message on phone number given, we need to do the following − Add code in AWS Lambda to send message to your phone. Example In this example, we will create a topic in SNS. When details are entered in the topic to publish, AWS Lambda is triggered. The topic details are logged in CloudWatch and a message is sent on phone by AWS Lambda. Here is a basic block diagram which...

Building the Lambda Function

AWS Lambda function executes a code when it is invoked. This chapter discusses all these steps involved in the life cycle of AWS Lambda function in detail. Steps for Building a Lambda function The lifecycle of Lambda function includes four necessary steps − Authoring Deploying Monitoring Troubleshooting Authoring Lambda Code AWS Lambda function code can be written in following languages − NodeJS Java, Python C# Go. We can write code for AWS Lambda using the AWS console, AWS CLI, from Eclipse IDE, from Visual Studio IDE, serverless framework etc. The following table shows a list of languages and the different tools and IDE that can be used to write the Lambda function −   NodeJS :  AWS Lambda Console | Visual Studio IDE Java : Eclipse IDE Python : AWS Lambda Console C# : Visual Studio IDE | .NET core Go : AWS Lambda Console Deploying Lambda Code Once you decide the language you want to write the Lambda function, there are two ways to deploy the code − Directly write the code in...

C++ How to use Date and Time

The C++ standard library does not provide a proper date type. C++ inherits the structs and functions for date and time manipulation from C. To access date and time related functions and structures, you would need to include <ctime> header file in your C++ program. There are four time-related types: clock_t, time_t, size_t , and tm . The types clock_t, size_t and time_t are capable of representing the system time and date as some sort of integer. The structure type tm holds the date and time in the form of a C structure having the following elements: struct tm { int tm_sec ; // seconds of minutes from 0 to 61 int tm_min ; // minutes of hour from 0 to 59 int tm_hour ; // hours of day from 0 to 24 int tm_mday ; // day of month from 1 to 31 int tm_mon ; // month of year from 0 to 11 int tm_year ; // year since 1900 int tm_wday ; // days since sunday int tm_yday ; // days since January 1st int tm_isdst ; // hours of daylight savin...