Chapter 3. Administration

This chapter will discuss specialized administration tasks unique to an SELinux enabled system, as well as detailing how some common systems administration tasks differ on an SELinux system.

3.1. Disabling SELinux

SELinux can be disabled completely at bootup by passing selinux=0 to the kernel command line. This will completely disable SELinux until a reboot, and you will need to relabel files when rebooting to ensure proper operation.

A better alternative for temporarily disabling SELinux is to put the system into permissive mode. Permissive mode will log actions that would have been denied, but will not actually deny them. This contrasts with the normal enforcing mode that will actively deny access to actions not explicitly allowed by the currently running policy.

To put the system into permissive mode, issue the command setenforce 0 while in the sysadm_r role or pass enforcing=0 to the kernel command line at bootup. To resume enforcing mode, issue the command setenforce 1. Issuing the command getenforce will return the mode SELinux is running currently.

SELinux modes can also be set by editing the SELinux config file located at /etc/selinux/config. The SELINUX= line can be set to enforcing, permissive, or disabled, and will take effect upon the next reboot.