====== SELinux ======

===== SELinuxの状態確認 =====
<code>
$ getenforce
Enforcing
</code>

===== SELinuxの状態とポリシーを確認 =====
<code>
$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
</code>

===== SELinuxをパーミッシブモードに変更 =====
 パーミッシブモードはアクセス拒否はしないが、拒否のログを記録するモードである。
<code>
$ sudo setenforce 0
</code>
 エンフォースモードに戻すには 1 を指定する。
<code>
$ sudo setenforce 1
</code>

===== SELinuxを永続的に無効にする =====
<code>
$ sudo vi /etc/selinux/config
</code>
<WRAP prewrap 100% mincode>
<code autoconf>
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# See also:
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
#
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
#    grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
#    grubby --update-kernel ALL --remove-args selinux
#
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
</code>
</WRAP>

設定を反映させるためには再起動する必要がある。
<code>
$ sudo reboot
</code>

===== 関連パッケージの削除 =====
CentOS
<code>
$ sudo yum remove selinux-policy selinux-policy-targeted
</code>

CentOS 7
<code>
$ sudo yum remove selinux-policy selinux-policy-targeted
$ sudo yum remove policycoreutils
</code>
※ Gnome デスクトップでは policycoreutils を削除できない。\\

Fedora
<code>
$ sudo dnf remove selinux-policy selinux-policy-targeted \
setroubleshoot setroubleshoot-plugins setroubleshoot-server \
policycoreutils-python
$ sudo dnf remove policycoreutils
</code>
※ Gnome デスクトップでは policycoreutils を削除できない。\\
===== 参考文献 =====
[[http://docs.fedoraproject.org/ja-JP/Fedora/19/html/Security_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html|9.4.4. SELinux の有効化および無効化]]\\
[[http://docs.fedoraproject.org/ja-JP/Fedora/19/html/Security_Guide/sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html|9.4.4.2. SELinux の無効化]]\\
[[http://docs.fedoraproject.org/ja-JP/Fedora/19/html/Security_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html|9.4.5. SELinux モード]]\\