Switching SELinux on and off
This is perhaps a weird section to begin with, but disabling SELinux is a commonly requested activity. Some vendors do not support their application running on a platform that has SELinux enabled. System administrators are generally reluctant to use security controls they do not understand or find too complex to maintain. Luckily, this number is diminishing, and SELinux is also capable of selectively disabling its access controls for a part of the system rather than requiring us to completely disable it.
Setting the global SELinux state
SELinux supports three major states that it can be in: disabled, permissive, and enforcing. These states are set in the /etc/selinux/config
file, through the SELINUX
variable. Take a look at the current setting:
$ grep ^SELINUX= /etc/selinux/config
SELINUX=enforcing
When the system init
process loads the SELinux policy, the SELinux code checks the state that the administrator has configured. The states are described as follows:
- If...