Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 754

Chapter 44. Security and SELinux
For example, running the cat command on the enforce file reveals either a 1 for enforcing mode or
0 for permissive mode.
44.2.2.2. SELinux Configuration Files
The following sections describe SELinux configuration and policy files, and related file systems located
in the /etc/ directory.
44.2.2.2.1. The /etc/sysconfig/selinux Configuration File
There are two ways to configure SELinux under Red Hat Enterprise Linux: using the SELinux
Administration Tool (system-config-selinux), or manually editing the configuration file (/etc/
sysconfig/selinux).
The /etc/sysconfig/selinux file is the primary configuration file for enabling or disabling
SELinux, as well as for setting which policy to enforce on the system and how to enforce it.
Note
The /etc/sysconfig/selinux contains a symbolic link to the actual configuration file,
/etc/selinux/config.
The following explains the full subset of options available for configuration:
• SELINUX=enforcing|permissive|disabled — Defines the top-level state of SELinux on a
system.
• enforcing — The SELinux security policy is enforced.
• permissive — The SELinux system prints warnings but does not enforce policy.
This is useful for debugging and troubleshooting purposes. In permissive mode, more denials are
logged because subjects can continue with actions that would otherwise be denied in enforcing
mode. For example, traversing a directory tree in permissive mode produces avc: denied
messages for every directory level read. In enforcing mode, SELinux would have stopped the
initial traversal and kept further denial messages from occurring.
• disabled — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the
pseudo-file system is unregistered.
Tip
Actions made while SELinux is disabled may result in the file system no longer having
the correct security context. That is, the security context defined by the policy. The
best way to relabel the file system is to create the flag file /.autorelabel and
reboot the machine. This causes the relabel to occur very early in the boot process,
before any processes are running on the system. Using this procedure means that
processes can not accidentally create files in the wrong context or start up in the
wrong context.
It is possible to use the fixfiles relabel command prior to enabling SELinux to
relabel the file system. This method is not recommended, however, because after it
is complete, it is still possible to have processes potentially running on the system in
728