How to Enable or Reinstall SELinux on CentOS

  • 2 minute read
How to Enable or Reinstall SELinux on CentOS
0
Shares
0
0
0
0
0
0
0
Table of Contents
  1. 1. Check SELinux Status:
  2. 2. Enable SELinux (if Disabled):
  3. 3. Reinstall SELinux (if Needed):
  4. 4. Reboot the System:
  5. 5. Verify SELinux Status:
  6. 6. Adjust SELinux Policies (Optional):
  7. 7. Troubleshooting:
  8. 8. Restore Conventional File Labels (if Needed):

SELinux (Security-Enhanced Linux) is a security feature included in many Linux distributions, including CentOS, to provide mandatory access controls. If SELinux is disabled or you want to reinstall it on CentOS, you can follow these steps:

1. Check SELinux Status:

Before making changes, check the current status of SELinux:

sestatus

This command will display whether SELinux is enabled, disabled, or in permissive mode.

2. Enable SELinux (if Disabled):

If SELinux is currently disabled, you can enable it by editing the /etc/selinux/config file:

sudo nano /etc/selinux/config

Change the SELINUX parameter to enforcing:

SELINUX=enforcing

Save and close the file.

3. Reinstall SELinux (if Needed):

If SELinux is installed but you want to reinstall it, you can use the following commands:

sudo yum reinstall selinux-policy selinux-policy-targeted

This will reinstall the SELinux policy and targeted policy packages.

4. Reboot the System:

To apply the changes, reboot your system:

sudo reboot

5. Verify SELinux Status:

After the system reboots, check the SELinux status again:

sestatus

Make sure that SELinux is in enforcing mode.

6. Adjust SELinux Policies (Optional):

If you need to adjust SELinux policies for specific applications, you can use the semanage and setsebool commands. For example:

# Allow Apache to connect to the network sudo setsebool -P httpd_can_network_connect 1 # Allow Nginx to connect to the network sudo setsebool -P httpd_can_network_connect 1

7. Troubleshooting:

If you encounter issues with SELinux blocking certain operations, check the audit log for more details:

sudo ausearch -m avc

This command will display AVC (Access Vector Cache) denials from the audit log.

8. Restore Conventional File Labels (if Needed):

In some cases, you may need to restore conventional file labels if they have been modified. Run the following commands:

sudo restorecon -Rv / sudo touch /.autorelabel sudo reboot

This will restore SELinux file labels.

Remember that enabling or reinstalling SELinux may impact the behavior of applications and services. It’s essential to test and validate the configuration in a safe environment before applying changes to a production system.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

— Previous article

Install MongoDB on CentOS
Next article —

Optimizing Your Windows Page File for Peak Performance