PR#425: Changing SELinux states and modes - fedora-docs/quick-docs

		`@@ -4,7 +4,7 @@`

		`[#{context}-changing-selinux-modes]`
		`= Permanent changes in SELinux states and modes`
		`-`
		`+ :toc:`
		`As discussed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction[Introduction to SELinux], SELinux can be enabled or disabled. When enabled, SELinux has two modes: enforcing and permissive.`

		Use the [command]`getenforce` or [command]`sestatus` commands to check in which mode SELinux is running. The [command]`getenforce` command returns `Enforcing`, `Permissive`, or `Disabled`.
		`@@ -28,5 +28,7 @@`

		`[NOTE]`
		`====`
		`- When systems run SELinux in permissive mode, users are able to label files incorrectly. Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode.`
		`+ When systems run SELinux in permissive mode, users and processes can label various file-system objects incorrectly. File-system objects created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because SELinux relies on correct labels of file-system objects.`
		`+`
		+ To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. In permissive mode, use the [command]`fixfiles -F onboot` command as root to create `/.autorelabel` file containing the `-F` option to ensure that files are relabeled upon next reboot.
		`====`

modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc

file modified

+33 -17

		`@@ -5,22 +5,24 @@`
		`[#{context}-changing-to-enforcing-mode]`
		`= Changing to enforcing mode`

		`- When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.`
		`+ Use the following procedure to switch SELinux to enforcing mode. When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In RHEL, enforcing mode is enabled by default when the system was initially installed with SELinux.`
		`+`
		`+ .Prerequisites`
		`+`
		+ * The `selinux-policy-targeted`, `libselinux-utils`, and `policycoreutils` packages are installed on your system.
		`+`
		+ * The `selinux=0` or `enforcing=0` kernel parameters are not used.

		`.Procedure`

		- . Check the current SELinux mode by using the [command]`getenforce` command:
		`- +`
		`- [subs="quotes"]`
		+ . Open the `/etc/selinux/config` file in a text editor of your choice, for example:
		`+`
		`----`
		`- $ getenforce`
		`- Permissive`
		`+ # vi /etc/selinux/config`
		`----`
		`- +`
		- If the command displays `Disabled`, then follow xref:{context}-enabling-selinux[]. If it displays `Permissive`, use the following steps to change mode to enforcing again:

		- . Edit the `/etc/selinux/config` file as follows:
		`- +`
		+ . Configure the `SELINUX=enforcing` option:
		`+`
		`[subs="quotes"]`
		`----`
		`# This file controls the state of SELinux on the system.`
		`@@ -35,26 +37,40 @@`
		`SELINUXTYPE=targeted`
		`----`

		`- . Restart the system:`
		`+ . Save the change, and restart the system:`
		`+`
		`[subs="quotes"]`
		`----`
		`- $ reboot`
		`+ # reboot`
		`----`
		`+`
		`- On the next boot, SELinux relabels all files and directories in the system and adds the SELinux context for files and directories that were created when SELinux was disabled.`
		`+ On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled.`
		`+`
		`+ .Verification`
		`+`
		+ . After the system restarts, confirm that the `getenforce` command returns `Enforcing`:
		`+`
		`+ ----`
		`+ $ getenforce`
		`+ Enforcing`
		`+ ----`

		`[NOTE]`
		`====`
		`- After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies:`
		`+ After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies, enter the following command as root:`
		`[subs="quotes"]`
		`----`
		`- $ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent`
		`+ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today`
		`----`
		- Alternatively, with the [package]`setroubleshoot-server` package installed:
		+ Alternatively, with the [package]`setroubleshoot-server` package installed, enter:
		`[subs="quotes"]`
		`----`
		`- $ sudo sealert -a /var/log/audit/audit.log`
		`+ # grep "SELinux is preventing" /var/log/messages`
		`+ ----`
		`+ If SELinux is active and the Audit daemon (auditd) is not running on your system, then search for certain SELinux messages in the output of the dmesg command:`
		`----`
		`+ # dmesg \| grep -i -e type=1300 -e type=1400`
		`+ ----`
		`+`
		`If SELinux denies some actions, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux[Troubleshooting problems related to SELinux] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for information about troubleshooting.`
		`====`

modules/ROOT/pages/_partials/proc_changing-to-permissive-mode.adoc

file modified

+13 -5

		`@@ -5,14 +5,22 @@`
		`[#{context}-changing-to-permissive-mode]`
		`= Changing to permissive mode`

		`- When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements. Each AVC is logged only once in this case.`
		`+ Use the following procedure to permanently change SELinux mode to permissive. When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements. Each AVC is logged only once in this case.`
		`+`
		`+ .Prerequisites`
		`+`
		+ * The `selinux-policy-targeted`, `libselinux-utils`, and `policycoreutils` packages are installed on your system.
		+ * The `selinux=0` or `enforcing=0` kernel parameters are not used.

		`.Procedure`

		`- To permanently change mode to permissive:`
		+ . Open the `/etc/selinux/config` file in a text editor of your choice, for example:

		- . Edit the `/etc/selinux/config` file as follows:
		`- +`
		`+ ----`
		`+ # vi /etc/selinux/config`
		`+ ----`
		`+`
		+ . Configure the `SELINUX=permissive` option:
		`[subs="quotes"]`
		`----`
		`# This file controls the state of SELinux on the system.`
		`@@ -31,5 +39,5 @@`
		`+`
		`[subs="quotes"]`
		`----`
		`- $ reboot`
		`+ # reboot`
		`----`

modules/ROOT/pages/_partials/proc_disabling-selinux.adoc

file modified

+28 -9

		`@@ -5,13 +5,20 @@`
		`[#{context}-disabling-selinux]`
		`= Disabling SELinux`

		`- When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in xref:{context}-benefits-of-selinux[Benefits of SELinux] are lost.`
		`-`
		`+ Use the following procedure to permanently disable SELinux.`
		`+`
		`[IMPORTANT]`
		`====`
		`+ When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in xref:{context}-benefits-of-selinux[Benefits of SELinux] are lost.`
		`+`
		`It is recommended to use permissive mode instead of permanently disabling SELinux. See xref:{context}-changing-to-permissive-mode[] for more information about permissive mode.`
		`====`

		`+ [Warning]`
		`+ ====`
		`+ Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. Because memory leaks and race conditions causing kernel panics can occur, prefer disabling SELinux by adding the selinux=0 parameter to the kernel command line as described in Changing SELinux modes at boot time if your scenario really requires to completely disable SELinux.`
		`+ ====`
		`+`
		`.Prerequisites`

		* The [package]`grubby` package is installed:
		`@@ -24,23 +31,35 @@`

		`.Procedure`

		`- To permanently disable SELinux:`
		`-`
		- . Configure your bootloader to add `selinux=0` to the kernel command line:
		+ . Open the `/etc/selinux/config` file in a text editor of your choice, for example:
		`+`
		`[subs="quotes"]`
		`----`
		`- $ sudo grubby --update-kernel ALL --args selinux=0`
		`+ # vi /etc/selinux/config`
		`----`

		`- . Restart your system:`
		`+ . Configure the SELINUX=disabled option:`
		`+`
		`[subs="quotes"]`
		`----`
		`- $ reboot`
		`+ # This file controls the state of SELinux on the system.`
		`+ # SELINUX= can take one of these three values:`
		`+ # enforcing - SELinux security policy is enforced.`
		`+ # permissive - SELinux prints warnings instead of enforcing.`
		`+ # disabled - No SELinux policy is loaded.`
		`+ SELINUX=disabled`
		`+ # SELINUXTYPE= can take one of these two values:`
		`+ # targeted - Targeted processes are protected,`
		`+ # mls - Multi Level Security protection.`
		`+ SELINUXTYPE=targeted`
		`+ ----`
		`+`
		`+ . Save the change, and restart your system:`
		`+ ----`
		`+ # reboot`
		`----`

		`- .Verification step`
		`+ .Verification`

		* After reboot, confirm that the [command]`getenforce` command returns `Disabled`:
		`+`

modules/ROOT/pages/_partials/ref_changing-selinux-modes-at-boot-time.adoc

file modified

+6 -4

		`@@ -7,7 +7,9 @@`

		`On boot, you can set several kernel parameters to change the way SELinux runs:`

		- enforcing=0:: Setting this parameter causes the machine to boot in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is too corrupted. Moreover, in permissive mode the system continues to create the labels correctly. The AVC messages that are created in this mode can be different than in enforcing mode. In permissive mode, only the first denial is reported. However, in enforcing mode you might get a denial on reading a directory and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition.
		`+ enforcing=0:: Setting this parameter causes the system to start in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is too corrupted. Moreover, in permissive mode, the system continues to create the labels correctly. The AVC messages that are created in this mode can be different than in enforcing mode.`
		`+ +`
		`+ In permissive mode, only the first denial from a series of the same denials is reported. However, in enforcing mode, you might get a denial related to reading a directory, and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition.`

		selinux=0:: This parameter causes the kernel to not load any part of the SELinux infrastructure. The init scripts notice that the system booted with the [option]`selinux=0` parameter and touch the `/.autorelabel` file. This causes the system to automatically relabel the next time you boot with SELinux enabled.
		`+`
		`@@ -19,11 +21,11 @@`
		`autorelabel=1:: This parameter forces the system to relabel similarly to the following commands:`
		`+`
		`----`
		`- ~]# touch /.autorelabel`
		`- ~]# reboot`
		`+ # touch /.autorelabel`
		`+ # reboot`
		`----`
		`+`
		`- If the system labeling contains a large amount of errors, you might need to boot in permissive mode in order that the autorelabel succeeds.`
		`+ If a file system contains a large amount of mislabeled objects, start the system in permissive mode to make the autorelabel process successful.`

		For additional SELinux-related kernel boot parameters, such as [option]`checkreqprot`, see the `kernel-parameters.txt` file. This file is available in the source package of your Linux kernel (.src.rpm). To download the source package containing the currently used kernel:
		`----`