#293 Update instructions for disabling and re-enabling SELinux
Closed 3 years ago by pbokoc. Opened 3 years ago by omos.
fedora-docs/ omos/quick-docs disabling-selinux  into  master

@@ -7,23 +7,18 @@ 

  

  When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.

  

- If SELinux was disabled, follow the procedure below to change mode to enforcing again:

- 

- This procedure assumes that the [package]*selinux-policy-targeted*, [package]*selinux-policy*, [package]*libselinux*, [package]*libselinux-python*, [package]*libselinux-utils*, [package]*policycoreutils*, and [package]*policycoreutils-python* packages are installed. To verify that the packages are installed, use the following command:

- [subs="quotes"]

- ----

- ~]$ rpm -q _package_name_

- ----

+ First check the current SELinux mode by running the [command]`getenforce` command. If it displays `Disabled`, then follow <<{context}-enabling-selinux>>. Otherwise, if it displays `Permissive`, follow the procedure below to change mode to enforcing again:

  

  . Edit the `/etc/selinux/config` file as follows:

  +

+ [subs="quotes"]

  ----

  # This file controls the state of SELinux on the system.

  # SELINUX= can take one of these three values:

  #       enforcing - SELinux security policy is enforced.

  #       permissive - SELinux prints warnings instead of enforcing.

  #       disabled - No SELinux policy is loaded.

- SELINUX=pass:quotes[*enforcing*]

+ SELINUX=*enforcing*

  # SELINUXTYPE= can take one of these two values:

  #       targeted - Targeted processes are protected,

  #       mls - Multi Level Security protection.

@@ -11,13 +11,14 @@ 

  

  . Edit the `/etc/selinux/config` file as follows:

  +

+ [subs="quotes"]

  ----

  # This file controls the state of SELinux on the system.

  # SELINUX= can take one of these three values:

  #       enforcing - SELinux security policy is enforced.

  #       permissive - SELinux prints warnings instead of enforcing.

  #       disabled - No SELinux policy is loaded.

- SELINUX=pass:quotes[*permissive*]

+ SELINUX=*permissive*

  # SELINUXTYPE= can take one of these two values:

  #       targeted - Targeted processes are protected,

  #       mls - Multi Level Security protection.

@@ -2,7 +2,7 @@ 

  //

  // changing-selinux-states-and-modes.adoc

  

- [#{context}-Enabling_and_Disabling_SELinux-Disabling_SELinux]

+ [#{context}-disabling-selinux]

  = Disabling SELinux

  

  When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux[Benefits of SELinux] are lost.
@@ -14,25 +14,22 @@ 

  

  To permanently disable SELinux, follow the procedure below:

  

- . Configure [option]`SELINUX=disabled` in the `/etc/selinux/config` file:

- +

+ This procedure assumes that the [package]*grubby* package is installed. To verify that it is installed, use the following command:

+ [subs="quotes"]

+ ----

+ ~]$ rpm -q grubby

  ----

  

- # This file controls the state of SELinux on the system.

- # SELINUX= can take one of these three values:

- #       enforcing - SELinux security policy is enforced.

- #       permissive - SELinux prints warnings instead of enforcing.

- #       disabled - No SELinux policy is loaded.

- SELINUX=pass:quotes[*disabled*]

- # SELINUXTYPE= can take one of these two values:

- #       targeted - Targeted processes are protected,

- #       mls - Multi Level Security protection.

- SELINUXTYPE=targeted

+ . Configure your bootloader to add `selinux=0` to the kernel command-line:

+ +

+ [subs="quotes"]

+ ----

+ ~]# grubby --update-kernel ALL --args selinux=0

  ----

  

  . Reboot your system. After reboot, confirm that the [command]`getenforce` command returns `Disabled`:

  +

  ----

- `~]$`pass:attributes[{blank}] pass:attributes[{blank}][command]`getenforce`

+ ~]$ getenforce

  Disabled

  ----

@@ -9,6 +9,36 @@ 

  

  While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure:

  

+ This procedure assumes that the [package]*selinux-policy-targeted*, [package]*selinux-policy*, [package]*libselinux-utils*, and [package]*grubby* packages are installed. To verify that the packages are installed, use the following command:

+ [subs="quotes"]

+ ----

+ ~]$ rpm -q _package_name_

+ ----

+ 

+ . In case your system has SELinux disabled at the kernel level (this is the recommended way, see <<{context}-disabling-selinux>>), make sure to undo that first.

+ 

+ .. Check if you have `selinux=0` in your kernel command line:

+ +

+ [subs="quotes"]

+ ----

+ ~]$ cat /proc/cmdline

+ _[...]_ rd.lvm.lv=fedora/swap rhgb quiet *selinux=0*

+ ----

+ 

+ .. If it is there, remove it from the bootloader configuration using [command]`grubby`:

+ +

+ ----

+ ~]# grubby --update-kernel ALL --remove-args selinux

+ ----

+ 

+ .. The change will be applied after you reboot the system (see below).

+ 

+ . Ensure the filesystem is relabeled on next boot:

+ +

+ ----

+ ~]# fixfiles onboot

+ ----

+ 

  . Enable SELinux in permissive mode. For more information, see <<{context}-changing-to-permissive-mode>>.

  

  . Reboot your system.

Update the documentation to align with [1] and while there also fix some broken formatting.

[1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable

rebased onto c66ed28

3 years ago

I made some extra cleanups and clarifications, based on private comments from @plautrba and other small gaps that I noticed in the meantime.

Pull-Request has been closed by pbokoc

3 years ago

This PR has been replaced by #300.