Setting the SE Linux state
When installing CTE-U on SE (Security Enhanced) Linux with RHEL 9.1, you must set the SE Linux state. SELINUX can be set to any of the following three states:
-
Enforcing: SELinux security policy is enforced.
-
Permissive: SELinux prints warnings, but does not enforce the security policy.
-
Disabled: No SELinux policy is loaded.
Installing CTE-U and Setting the SE Linux State
-
Check if SE Linux is in enforcing mode with the command
sestatus
.Response
-
If it is in enforcing mode, set the state to permissive for installation, type:
-
Install CTE-U and register the client to CipherTrust Manager.
-
Run the following commands, in succession, to add the SELinux policy for CTE-U.
-
Restart the
SecFS_fuse
service and check the logs for any AVC denials in/var/log/messages
.A denial for
setattr
is expected after adding a policy forvmd
. If you see the message "SELinux is preventing" to any of the processes "secfs_fuse, vmd". Then execute the command mentioned in step 4 again. -
Change the SE Linux status to enforcing once there are no more denials, type:
Note
For more information, see Setting SELinux states and modes.
Setting the SE Linux Policy Type
The SELINUX TYPE will be one of the following three values:
-
Targeted: Targeted processes are protected
-
Minimum: Modification of targeted policy. Only selected processes are protected.
-
MLS: Multi Level Security protection.
The following file controls the state of SELinux on the system.
- Edit the
/etc/selinux/config
file to set the SE LINUX TYPE parameter toSELINUXTYPE=targeted
.
Disabling SE Linux
In earlier Fedora kernel builds, setting SELINUX to disabled would also fully disable SELinux during the boot stage. If you need a system with SELinux fully disabled, as opposed to a system with SELinux running with no policy loaded, you need to set selinux=0 in the kernel command line. Use the Grubby CLI tool.
To set the bootloader to boot with SE Linux disabled, type:
To revert back to SELinux enabled, type: