Enabling Enforcing Mode of SELinux

Generic Instruction

To enable enforcing mode of SELinux on a node, do the following:

  1. Connect to a node on which you wish to enable the enforcing mode.

  2. Make sure that SELinux runs in permissive mode. You can check the mode by running the following command:

    getenforce
  3. If it's disabled, change the mode to permissive in the /etc/selinux/config file.

  4. If you changed the SELinux configuration, reboot the node to apply the changes.

    Note: Reboot can take significant time because SELinux policies will be applied to the file system.

  5. Let the system working with SELinux in permissive mode for several days.

  6. Check logs in the  /var/log/audir/audit.log  file for any messages containing the word denied, similar to the following:

    type=AVC msg=audit(1559036120.944:145): avc:  denied  { append } for  pid=8573 comm="standalone.sh" path="/pa-logs/console.log" dev="dm-3" ino=15 scontext=system_u:system_r:pa_jboss_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
  7. If there are such messages, fix them using the instructions from Troubleshooting.

  8. When all the errors are fixed, switch SELinux to the enforcing mode using the following command:

    setenforce 1

© 2024 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal