Shulou(Shulou.com)06/02 Report--

This article is about how to turn on and off SELinux. I think it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Security enhanced Linux (SELinux) is a feature of the Linux kernel that provides security policy protection mechanisms that support access control. Here is how to turn SELinux on or off and avoid the problem that the system cannot be started.

Background information

In general, turning on SELinux will improve the security of the system, but it will destroy the files of the operating system and cause the problem that the system cannot be started. If your company or team has a very strict security policy that requires SELinux to be enabled in the Linux operating system, you can refer to the steps in this article to avoid the problem that the system cannot be started. The operating system used in this tutorial is CentOS 7.264-bit.

Turn on SELinux

Remotely connect to the ECS instance with root privileges.

Run the following command on the ECS instance to edit the config file for SELinux.

Vi / etc/selinux/config

Find SELINUX=disabled, press I to enter edit mode, and open SELinux by modifying this parameter.

You can modify the parameters according to your needs. There are two modes for enabling SELinux:

Mandatory mode SELINUX=enforcing: indicates that all violations of security policy will be prohibited.

Tolerance mode SELINUX=permissive: indicates that all violations of security policy are not prohibited, but will be recorded in the log.

When the modification is complete, press the keyboard ESC key, execute the command: wq, save and exit the file.

It is necessary to restart the instance after modifying the config file, but directly restarting the instance will cause an error that the system cannot be started. Therefore, you need to create a new autorelabel file in the root directory before restarting.

Create a new hidden file autorelabel under the root directory. After the instance is restarted, SELinux will automatically relabel all system files.

Touch /. Autorelabel

Restart the ECS instance.

Shutdown-r now verifies SELinux status

Remotely connect to the ECS instance with root privileges.

Run the command getenforce to verify the SELinux status.

The return status should be enforcing or permissive, and the current status of this tutorial is enforcing.

Run the command sestatus to get more SELinux information.

The parameter information SELinux status is displayed as enabled, indicating that SELinux has been started.

Close SELinux

Remotely connect to the ECS instance with root privileges.

Run the command getenforce to verify the SELinux status.

If the returned status is enforcing, it means that SELinux is enabled.

Choose to close SELinux temporarily or permanently.

Execute the command setenforce 0 to temporarily shut down SELinux.

Permanently close SElinux.

Run the following command to edit the config file for SELinux.

Vi / etc/selinux/config

Find SELINUX=enforcing, press I to enter edit mode, and change the parameter to SELINUX=disabled.

When the modification is complete, press the keyboard ESC key, execute the command: wq, save and exit the file.

Restart the ECS instance.

Shutdown-r now

After restarting, run the command getenforce to verify that the SELinux status is disabled, indicating that SELinux is turned off.

The above is how to turn on and off SELinux. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.