Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Install and Configure CTE-U with CipherTrust Manager

Setting the SE Linux state

search

Setting the SE Linux state

When installing CTE-U on SE (Security Enhanced) Linux with RHEL 9.1, you must set the SE Linux state. SELINUX can be set to any of the following three states:

  • Enforcing: SELinux security policy is enforced.

  • Permissive: SELinux prints warnings, but does not enforce the security policy.

  • Disabled: No SELinux policy is loaded.

Installing CTE-U and Setting the SE Linux State

  1. Check if SE Linux is in enforcing mode with the command sestatus.

    [root@localhost ~] sestatus

    Response

    SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

  2. If it is in enforcing mode, set the state to permissive for installation, type:

    [root@localhost ~] setenforce 0

  3. Install CTE-U and register the client to CipherTrust Manager.

  4. Run the following commands, in succession, to add the SELinux policy for CTE-U.

    grep -i "comm=\"secfs_fuse\"" /var/log/audit/audit.log | audit2allow -M secfs_fuse
semodule -i secfs_fuse.pp

grep -i "comm=\"vmd\"" /var/log/audit/audit.log | audit2allow -M vmdpolicy
semodule -i vmdpolicy.pp

  5. Restart the SecFS_fuse service and check the logs for any AVC denials in /var/log/messages.

    A denial for setattr is expected after adding a policy for vmd. If you see the message "SELinux is preventing" to any of the processes "secfs_fuse, vmd". Then execute the command mentioned in step 4 again.

  6. Change the SE Linux status to enforcing once there are no more denials, type:

    # setenforce 1

    Note

    For more information, see Setting SELinux states and modes.

Setting the SE Linux Policy Type

The SELINUX TYPE will be one of the following three values:

  • Targeted: Targeted processes are protected

  • Minimum: Modification of targeted policy. Only selected processes are protected.

  • MLS: Multi Level Security protection.

The following file controls the state of SELinux on the system.

    /etc/selinux/config
  • Edit the /etc/selinux/config file to set the SE LINUX TYPE parameter to SELINUXTYPE=targeted.

Disabling SE Linux

In earlier Fedora kernel builds, setting SELINUX to disabled would also fully disable SELinux during the boot stage. If you need a system with SELinux fully disabled, as opposed to a system with SELinux running with no policy loaded, you need to set selinux=0 in the kernel command line. Use the Grubby CLI tool.

To set the bootloader to boot with SE Linux disabled, type:

    grubby --update-kernel ALL --args selinux=0

To revert back to SELinux enabled, type:

    grubby --update-kernel ALL --remove-args selinux

On this page