Using setenforce to switch SELinux mode wisely

setenforce is a command line utility that is used to switch the mode SELinux is running in from enforcing to permissive and vice versa without requiring a reboot. Lately, I’ve started experimenting again with SELinux on a live system. The default targeted SELinux policy, as usual, needs some adjustment to work with a custom server configuration. So, I created some custom policy modules and loaded them onto the live system in order to test if my “allow” rules were effective.

In such cases, the system administrator must be wise enough to minimize risk. SELinux is not a forgiving feature. If the custom policy blocks the execution of a software and SELinux is running in enforcing mode, then the software does not run. That’s what SELinux is about after all.

The permissive mode exists mainly for testing. In this mode, the auditing mechanism generates notices (AVC Denials) about the action/event that was blocked, but without actually blocking that action/event. It is just a way to check what would have happened if SELinux had been running in enforcing mode. There are two ways to switch SELinux to permissive mode. One is to configure it through its configuration file (/etc/selinux/config on EL) to start in permissive mode on boot and the other is to use the aforementioned utility, setenforce, to switch modes while the system is live.

When performing tests on a live system, I usually take all precautions to minimize the risk of failure and usually, if possible, I am around to monitor the progress of the test. But, this time I had to use the custom SELinux policy for some days to see if it is actually effective or it needs further fine-tuning.

The Mistake: I used setenforce to set SELinux into permissive mode (/usr/sbin/setenforce 0). setenforce is for temporary changes and it is definitely not suitable for testing the policy for a long period of time. This is because if for any reason the system reboots, SELinux will be set back into the mode that is defined into its configuration file. The mode set by setenforce does not survive a reboot. So, if the custom policy happens to be incomplete, it will block the server’s normal operation after the reboot. And such reboots can happen…

This is exactly what I experienced yesterday. The datacenter on which my virtual server is hosted had problems with its main power supply. This caused one hour of downtime. But G-Loaded’s outage was a lot greater, because my custom SELinux policy was incomplete. SELinux was started in enforcing mode, so my faulty policy blocked my www service.

This should be a lesson to anyone who performs tests on live systems. The Right Thing™ was simple: boot the server into permissive mode and do as many tests as desired. I can blame the datacenter for the one-hour downtime, but for the 7-hour unavailability of G-Loaded I am the only one to blame.

Using setenforce to switch SELinux mode wisely by George Notaras, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2009 - Some Rights Reserved

About George Notaras

George Notaras is the editor of G-Loaded Journal, a technical blog about Free and Open-Source Software. George is a GNU/Linux enthusiast, a self-taught programmer and system administrator. He strongly believes that "knowledge is power" and has created this web site to share the IT knowledge and experience he has gained over the years with other people. George primarily uses CentOS and Fedora and spends some of his spare time developing open-source software. Follow George on Twitter: @gnotaras

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>