Configure SELinux - Part 2

Configure SELinux - Part 2

Ensure the SELinux state is enforcing

Overview:

Set SELinux to enable when the system is booted.

Why:

SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times.

Audit:

Run the following commands and ensure output matches:

# grep SELINUX=enforcing /etc/selinux/config SELINUX=enforcing
# sestatus
SELinux status: enabled
Current mode: enforcing
Mode from config file: enforcing

Run the following command and verify that all linux lines include the parameter enforcing=1

grep "^\s*linux" /boot/grub/grub.cfg 

Fix:

Edit the /etc/selinux/config file to set the SELINUX parameter:

SELINUX=enforcing 

Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX= line:

enforcing=1 

Example:

GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="selinux=1 security=selinux enforcing=1 audit=1"

Run the following command to update the grub2 configuration:

# update-grub