10. Manage Security
๐Red Hat Certified System Administrator (RHCSA โ EX200)
1. What is SELinux Mode?
SELinux (Security-Enhanced Linux) works in different modes to control how security policies are applied.
A mode defines:
๐ Whether SELinux enforces rules
๐ Or just monitors and logs violations
2. SELinux Modes Overview
There are three modes:
1. Enforcing Mode
- SELinux actively enforces security policies
- If an action is not allowed โ it is blocked
- Violations are denied and logged
โ This is the default mode in RHEL
โ Required for production systems
2. Permissive Mode
- SELinux does NOT block anything
- It only logs violations
โ Used for:
- Troubleshooting
- Testing configurations
3. Disabled Mode
- SELinux is completely turned off
- No enforcement, no logging
โ Not recommended
โ Avoid in RHCSA exam unless specifically asked
3. Check Current SELinux Mode
Command:
getenforce
Output Examples:
Enforcing
Permissive
Disabled
Detailed Status Command:
sestatus
Example Output:
SELinux status: enabled
Current mode: enforcing
Mode from config file: enforcing
4. Temporarily Change SELinux Mode
Temporary changes last until reboot.
Switch to Permissive Mode
setenforce 0
Switch to Enforcing Mode
setenforce 1
Important Notes:
0= Permissive1= Enforcing- Works only if SELinux is enabled
Verify:
getenforce
5. Permanently Change SELinux Mode
Permanent changes require editing a configuration file.
File:
/etc/selinux/config
Open the file:
vi /etc/selinux/config
Change this line:
SELINUX=enforcing
Possible values:
SELINUX=enforcing
SELINUX=permissive
SELINUX=disabled
Apply Changes:
๐ Reboot is required
reboot
6. Difference: Temporary vs Permanent
| Type | Command Used | Reboot Needed | Scope |
|---|---|---|---|
| Temporary | setenforce | No | Until reboot |
| Permanent | config file | Yes | Persistent |
7. When to Use Each Mode (Exam + Practical)
Enforcing Mode
Use when:
- System is in production
- Security must be active
Example:
- Web server restricting unauthorized file access
- SSH access control enforcement
Permissive Mode
Use when:
- Troubleshooting SELinux issues
- Testing new services
Example:
- A service is not starting โ check SELinux logs
- Application is being blocked โ analyze before enforcing
Disabled Mode
Use when:
- Specifically required (rare cases)
โ Not recommended for:
- Secure environments
- RHCSA exam tasks (unless explicitly stated)
8. Troubleshooting with Permissive Mode
When a service fails:
Step 1: Switch to permissive
setenforce 0
Step 2: Try the service again
systemctl start httpd
Step 3: Check logs
/var/log/audit/audit.log
Step 4: Fix the issue
Step 5: Re-enable enforcing
setenforce 1
9. Important SELinux Logs
Main log file:
/var/log/audit/audit.log
Contains:
- Denied actions
- Policy violations
10. Key Exam Points (Very Important)
You must remember:
โ getenforce โ check mode
โ sestatus โ detailed status
โ setenforce 0/1 โ temporary change
โ /etc/selinux/config โ permanent change
โ Reboot required for permanent changes
โ Enforcing = secure
โ Permissive = troubleshooting
11. Common Mistakes to Avoid
โ Forgetting to reboot after editing config
โ Using setenforce when SELinux is disabled
โ Leaving system in permissive mode after testing
โ Confusing temporary vs permanent changes
12. Quick Summary
- SELinux has 3 modes: Enforcing, Permissive, Disabled
- Default mode = Enforcing
- Use:
getenforceโ check modesetenforceโ temporary change/etc/selinux/configโ permanent change
- Permissive mode is key for troubleshooting
