How do I switch between SELinux modes on NSP system components?
Purpose
|
CAUTION Potential Security Risk |
Enabling SELinux enforcing mode when any AVCs remain unresolved may pose a security risk.
Before you attempt to enable enforcing mode, you must resolve any AVCs associated with the nsp_domain_t domain that are raised during a soak period in permissive mode.
It is strongly recommended that the system run in permissive mode for at least seven days with no nsp_domain_t AVCs on any NSP component.
Perform this procedure to switch between SELinux permissive and enforcing modes on one or more of the following:
Note: You do not need to stop any NSP processes in order to switch between SELinux modes.
Note: You require root user privileges on a station to switch SELinux modes.
Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.
Note: release-ID in a file path has the following format:
R.r.p-rel.version
where
R.r.p is the NSP release, in the form MAJOR.minor.patch
version is a numeric value
Steps
1 |
Log in as the root user on the station. |
2 |
Open a console window. |
3 |
Enter one of the following, depending on the NSP component type:
|
4 |
To switch from permissive to enforcing mode, enter the following: # ./selinuxenable.sh -e ↵ The following messages are displayed, and the SELinux mode changes to enforcing: Checking that the required selinux packages are installed. Required packages installed selinux currently enabled in permissive mode, change to enforcing mode. |
5 |
To switch from enforcing to permissive mode, enter the following: # ./selinuxenable.sh -p ↵ The following messages are displayed, and the SELinux mode changes to permissive. Checking that the required selinux packages are installed. Required packages installed selinux currently enabled in enforcing mode, change to permissive mode. |
6 |
Close the console window. End of steps |