激活SELinux
编辑
/etc/selinux/config,设置SELINUX为permissive:
修改
/etc/selinux/config 设置 SELINUX 为 permissive# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# See also:
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/changing-selinux-states-and-modes_using-selinux#changing-selinux-modes-at-boot-time_changing-selinux-states-and-modes
#
# NOTE: Up to RHEL 8 release included, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
# grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
# grubby --update-kernel ALL --remove-args selinux
#
#SELINUX=disabled
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
按照
/etc/selinux/config注释中提示,从RHEL 8开始,需要执行以下命令传递SELinux参数给内核:
传递SELinux参数给内核
grubby --update-kernel ALL --remove-args selinux
备注
我在 Rocky Linux 9.7上实践验证,确实必须执行 grubby 更新内核参数才能激活SELinux,否则即使SELinux配置修改也不能成功。
重启系统
重启后检查:
执行
sestatus 命令获取当前SELinux状态sestatus
输出类似如下:
执行
sestatus 命令可以看到当前系统SELinux已经激活SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33