Your suggested change has been received. Thank you.

close
Thales Logo
back

CipherTrust Transparent Encryption Installation

Setting the SE Linux state

search

Setting the SE Linux state

When installing CTE-U on SE (Security Enhanced) Linux with RHEL 9.1, you must set the SE Linux state. SELINUX can be set to any of the following three states:

  • Enforcing: SELinux security policy is enforced.

  • Permissive: SELinux prints warnings, but does not enforce the security policy.

  • Disabled: No SELinux policy is loaded.

copy link to clipboardInstalling CTE-U and Setting the SE Linux State

  1. Check if SE Linux is in enforcing mode with the command sestatus.

    [root@localhost ~]# sestatus

    Response

    SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

  2. If it is in enforcing mode, set the state to permissive for installation, type:

    [root@localhost ~]# setenforce 0

  3. Install CTE-U and register the client to CipherTrust Manager.

  4. Run the following commands, in succession, to add the SELinux policy for CTE-U.

    grep -i "comm=\"secfs_fuse\"" /var/log/audit/audit.log | audit2allow -M secfs_fuse
semodule -i secfs_fuse.pp

grep -i "comm=\"vmd\"" /var/log/audit/audit.log | audit2allow -M vmdpolicy
semodule -i vmdpolicy.pp

  5. Restart the SecFS_fuse service and check the logs for any AVC denials in /var/log/messages.

    A denial for setattr is expected after adding a policy for vmd. If you see the message "SELinux is preventing" to any of the processes "secfs_fuse, vmd". Then execute the command mentioned in step 4 again.

  6. Change the SE Linux status to enforcing once there are no more denials, type:

    # setenforce 1
note

Note

For more information, see Setting SELinux states and modes.

copy link to clipboardSetting the SE Linux Policy Type

The SELINUX TYPE will be one of the following three values:

  • Targeted: Targeted processes are protected

  • Minimum: Modification of targeted policy. Only selected processes are protected.

  • MLS: Multi Level Security protection.

The following file controls the state of SELinux on the system.

/etc/selinux/config
  • Edit the /etc/selinux/config file to set the SE LINUX TYPE parameter to SELINUXTYPE=targeted.

copy link to clipboardDisabling SE Linux

In earlier Fedora kernel builds, setting SELINUX to disabled would also fully disable SELinux during the boot stage. If you need a system with SELinux fully disabled, as opposed to a system with SELinux running with no policy loaded, you need to set selinux=0 in the kernel command line. Use the Grubby CLI tool.

To set the bootloader to boot with SE Linux disabled, type:

grubby --update-kernel ALL --args selinux=0

To revert back to SELinux enabled, type:

grubby --update-kernel ALL --remove-args selinux

On this page