History of SELinux
SELinux was developed by the NSA (National Security Agency) and released under the GPL in 2000. SELinux was finally merged into the Linux kernel (2.6) in 2003. NSA developed SELinux as a set of mandatory access controls for various subsystems of the Linux kernel.
How SELinux Works
SELinux works, in simplest terms, by only allowing users and programs certain permissions. These permissions are different from standard user permissions (such as being able to read, write, or execute a file). SELinux can isolate programs and system servers to the bare minimum of privileges required for the applications/servers to do their jobs. By minimizing the privileges of these applications and servers SELinux minimizes the possible danger any application can inflict upon a system. In most cases this offers up outstanding security. However, for the desktop user, it can also get in the way of the machine functioning fully.
It is important to know how to disable SELinux (both temporarily and permanently). Although SELinux can be a very complex system, with very fine-grain administration, SELinux can also be as simple as “on” or “off.” It is the “on” or “off” that we are focusing on here.
SELinux works, fundamentally, in three ways: Enabled, Disabled, and Permissive. If Enabled, SELinux will prevent certain actions. If Disabled, SELinux will not stop any action. If set to Permissive, SELinux will allow an action but will give you a warning. Let’s take a look at how to set these policies.
There are times when you might want to disable or enable SELinux in order to accomplish certain tasks. SELinux can get in the way of installing applications or, in some instances, running applications. In either case, you might want to disable SELinux or set SELinux to Permissive mode.
You can make these changes temporarily or permanently. A temporary change will last until you change it or reboot the machine. A permanent change will last until you edit the configuration file.
For temporary changes you can issue one of the following commands (as the root user):
To disable SELinux issue the command echo 0 > /etc/selinux/enforce
To enable SELinux issue the command echo 1 > /etc/selinux/enforce
The temporary change will take effect immediately.
To permanently make these changes you will need to edit the /etc/selinux/config file (as the root user). In that file you will add (or edit the line)
and set it to either disabled, enabled, or permissive.
Once you make that change, reboot your machine for it to take effect.
SELinux is a very powerful system that allows yet another layer of security on your machine. Unless you have a need or an issue, it is always best to keep SELinux enabled to ensure maximum security on your Linux desktop.