Skip to main content

SELinux : Operating Mode

 This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux).

It's possible to use MAC (Mandatory Access Control) feature on CentOS for various resources by SELinux.

[1]. Confirm the current status of SELinux like follows. (default mode is [Enforcing])

# display current mode

[root@dlp ~]# getenforce

Enforcing

# enforcing   ⇒  SELinux is enabled (default)

# permissive  ⇒  MAC is not enabled, but only records audit logs according to Policies

# disabled    ⇒  SELinux is disabled


# also possible to display with the command ([Current mode] line)

[root@dlp ~]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   enforcing

Mode from config file:          enforcing

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Memory protection checking:     actual (secure)

Max kernel policy version:      31

[2]. It's possible to switch current mode between [permissive] ⇔ [enforcing] with [setenforce] command.

But if CentOS System is restarted, the mode returns to default.

[root@dlp ~]# getenforce

Enforcing

# switch to [Permissive] with [setenforce 0]

[root@dlp ~]# setenforce 0

[root@dlp ~]# getenforce

Permissive

# switch to [Enforcing] with [setenforce 1]

[root@dlp ~]# setenforce 1

[root@dlp ~]# getenforce

Enforcing

[3]. If you'd like to change Operating Mode permanently, change value in Configuration file.

[root@dlp ~]# vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

# change value you'd like to set

SELINUX=enforcing

# SELINUXTYPE= can take one of these three values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted


# restart to apply change

[root@dlp ~]# reboot

[4]. If you change the Operating Mode from [Disabled] to [Enforcing/Permissive], it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in [Disabled] mode, they are not labeled with SELinux Contexts, it needs to label to them, too.

# set re-labeling like follows, then it will be set on next system booting

[root@dlp ~]# touch /.autorelabel

[root@dlp ~]# reboot

Comments

Post a Comment

Popular posts from this blog

PERL Some good framework

1. Catalyst is the most popular agile Perl MVC web framework that encourages rapid development and clean design without getting in your way. Catalyst | Perl MVC web application framework 2. Mojolicious is a next generation web framework for the Perl programming language. Back in the early days of the web, many people learned Perl because of a wonderful Perl   ... Mojolicious - Perl real-time web framework 3. Documents for Perl  The Perl Archive Network, the gateway to all things Perl. The canonical location for Perl code and modules. The Comprehensive Perl Archive Network - www. cpan .org
Post a Comment
Read more

C++ How to use Date and Time

The C++ standard library does not provide a proper date type. C++ inherits the structs and functions for date and time manipulation from C. To access date and time related functions and structures, you would need to include <ctime> header file in your C++ program. There are four time-related types: clock_t, time_t, size_t , and tm . The types clock_t, size_t and time_t are capable of representing the system time and date as some sort of integer. The structure type tm holds the date and time in the form of a C structure having the following elements: struct tm { int tm_sec ; // seconds of minutes from 0 to 61 int tm_min ; // minutes of hour from 0 to 59 int tm_hour ; // hours of day from 0 to 24 int tm_mday ; // day of month from 1 to 31 int tm_mon ; // month of year from 0 to 11 int tm_year ; // year since 1900 int tm_wday ; // days since sunday int tm_yday ; // days since January 1st int tm_isdst ; // hours of daylight savin...
Post a Comment
Read more

Lambda Function with Amazon DynamoDB

DynamoDB can trigger AWS Lambda when the data in added to the tables, updated or deleted. In this chapter, we will work on a simple example that will add items to the DynamoDB table and AWS Lambda which will read the data and send mail with the data added. Requisites To use Amazon DB and AWS Lambda, we need to follow the steps as shown below − Create a table in DynamoDB with primary key Create a role which will have permission to work with DynamoDBand AWS Lambda. Create function in AWS Lambda AWS Lambda Trigger to send mail Add data in DynamoDB Let us discuss each of this step in detail. Example We are going to work out on following example which shows the basic interaction between DynamoDB and AWS Lambda. This example will help you to understand the following operations − Creating a table called customer in Dynamodb table and how to enter data in that table. Triggering AWS Lambda function once the data is entered and sending mail using Amazon SES service. The basic block diagram that ...
Post a Comment
Read more