CentOS 7
Ads

SELinux : SELinux Policy Type
2016/03/27
 
If SELinux is in "Enforcing/Permissive", it's possible to choose Policy Type. You can modify the selected policy for your own environment if you need.
It's possible to set Policy Type in /etc/selinux/config file.
CentOS 7 Default Policy is "targeted" Policy.
However, if you change the Policy Type, it needs to install Policy File. For CentOS 7 Minimal, only "targeted" Policy is installed by default.
If you change to a Policy without installing Policy File, System will not start, so Be Careful.
[1] Set Policy Type on "SELINUXTYPE=***" section.
# default is "targeted"

[root@dlp ~]#
cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted


# for example, change to "minimum" Policy

# Install Policy File first, don't forget it

[root@dlp ~]#
yum -y install selinux-policy-minimum
# Policy File is installed under "minimum" directory

[root@dlp ~]#
ll /etc/selinux

total 16
-rw-r--r--. 1 root root  547 Mar 18 16:23 config
drwxr-xr-x. 6 root root 4096 Mar 18 17:26 minimum
-rw-r--r--. 1 root root 2321 Nov 20 16:04 semanage.conf
drwxr-xr-x. 6 root root 4096 Mar 18 16:24 targeted

[root@dlp ~]#
vi /etc/selinux/config
# change "SELINUXTYPE" section

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=minimum

# restart to apply changing

[root@dlp ~]#
[root@dlp ~]#
sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             minimum     # just changed
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[3] There are 3 kinds of Policies provided with RPM Package such as examples in Configuration file.
Policy Description
Targeted This Policy applies Access Controls to Proccesses that they are often targeted by attacking. (Default)
Minimum Included setting files of this Policy are the same with "Targeted" Policy but more minimum Proccesses are targeted for Access Controls than "Targeted" Policy.
MLS Multilevel Security Policy. It implements Bell-LaPadula (BLP) model and possible to apply more complex controls.

 
Tweet