Security-enhanced Linux (SELinux) configuration-file (/etc/selinux/conf)
The SELinux configuration file is “/etc/sysconfig/selinux”, which is a symbolic link to “/etc/selinux/conf” file.
The SELinux status can be configured in the primary configuration file, “/etc/ sysconfig/selinux”. SELinux can be configured in two ways under Red Hat Enterprise Linux:
1) "system-config-selinux" GUI tool
2) Manually editing the "/etc/sysconfig/selinux" configuration file.
The /etc/sysconfig/selinux file is the primary configuration file for enabling or disabling SELinux. A Sample configuration file is shown below.
[root@RHEL04 ~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
There are three directives in this file as explained below.
• enforcing - SELinux security policy is enforced.
• permissive - SELinux prints warnings instead of enforcing.
• disabled - SELinux is fully disabled.
The ideal way to disable or enable SELinux (either enforcing mode or permissive mode) is to change the desired value in “/etc/sysconfig/selinux” and restart the server.
If SELinux is already enabled and you want to change the mode from permissive to enforcing or from enforcing to permissive, you can use the “setenforce” command as shown below.
• [root@RHEL03 ~] setenforce enforcing
• [root@RHEL03 ~] setenforce permissive
The SELINUXTYPE specifies which policy SELinux should enforce. The SELinux Policy is the set of rules that guide the SELinux security engine. SELinux Policy defines “Types” for file objects and “domains” for processes. “Types” and “Domains” are same, the difference being that “Types” apply to objects while “Domains” apply to processes.
SELINUXTYPE=targeted
Currently the policy supported is targeted where only targeted network daemons are protected.
The following are the main network deamons (services) supported by the “targeted” policy.
• dhcpd
• httpd
• named
• nscd
• ntpd
• portmap
• snmpd
• squid
• syslogd
• winbind
The remaining system runs in the "unconfined_t" domain. The "unconfined_t" domain allows subjects and objects with that security context to operate using standard Linux security.