Jump to content

Setting up new php website with SELinux enabled on Centos 7-8|RHEL 7-8


brent

Recommended Posts

Security Enhanced Linux or SELinux is a security mechanism built into the Linux kernel used by RHEL-based distributions.

SELinux adds an additional layer of security to the system by allowing administrators and users to control access to objects based on policy rules.

SELinux policy rules specify how processes and users interact with each other as well as how processes and users interact with files. When there is no rule explicitly allowing access to an object, such as for a process opening a file, access is denied.

SELinux has three modes of operation:

  • Enforcing: SELinux allows access based on SELinux policy rules.
  • Permissive: SELinux only logs actions that would have been denied if running in enforcing mode. This mode is useful for debugging and creating new policy rules.
  • Disabled: No SELinux policy is loaded, and no messages are logged.

By default, in CentOS 8, SELinux is enabled and in enforcing mode. It is highly recommended to keep SELinux in enforcing mode. However, sometimes it may interfere with the functioning of some application, and you need to set it to the permissive mode or disable it completely.

In this tutorial, we will explain to disable SELinux on CentOS 8.

Prerequisites

Only the root user or a user with sudo privileges can change the SELinux mode.

Checking the SELinux Mode

Use the sestatus command to check the status and the mode in which SELinux is running:

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

The output above shows that SELinux is enabled and set to enforcing mode.

Changing SELinux Mode to Permissive

When enabled, SELinux can be either in enforcing or permissive mode. You can temporarily change the mode from targeted to permissive with the following command:

sudo setenforce 0

However, this change is valid for the current runtime session only and do not persist between reboots.

To permanently set the SELinux mode to permissive, follow the steps below:

  1. Open the /etc/selinux/config file and set the SELINUX mod to permissive:

/etc/selinux/config
  1. # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=permissive
    # SELINUXTYPE= can take one of these three values:
    #     targeted - Targeted processes are protected,
    #     minimum - Modification of targeted policy. Only selected processes are protected. 
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
  2. Save the file and run the setenforce 0 command to change the SELinux mode for the current session:

    sudo shutdown -r now

     

Disabling SELinux

Instead of disabling SELinux, it is strongly recommended to change the mode to permissive. Disable SELinux only when required for the proper functioning of your application.

 

Perform the steps below to disable SELinux on your CentOS 8 system permanently:

Open the /etc/selinux/config file and change the SELINUX value to disabled:

/etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
  1. Save the file and reboot the system:

    sudo shutdown -r now

     

  2. When the system is booted, use the sestatus command to verify that SELinux has been disabled:

    sestatus

    The output should look like this:

    SELinux status:                 disabled

Conclusion

SELinux is a mechanism to secure a system by implementing mandatory access control (MAC). SELinux is enabled by default on CentOS 8 systems, but it can be disabled by editing the configuration file and rebooting the system.

To learn more about the powerful features of SELinux, visit the CentOS SELinux guide.

Link to comment
Share on other sites

×
×
  • Create New...