Security-enhanced Linux (SELinux) is a Linux kernel feature that provides a security policy-based protection mechanism for access control. This topic describes how to enable or disable SELinux and avoid system boot failures.

Prerequisites

An ECS instance is created from an Alibaba Cloud public image or a custom image.

Note If the custom image that you used was created from imported local files or the source server migration through Server Migration Center (SMC), ensure that SELinux is disabled on the source server before migration.

Background information

Typically, enabling SELinux can enhance system security. However, it can damage files in the operating system and lead to system boot failures. If your enterprise or team has high requirements on security and SELinux must be enabled for your operating systems, you can follow operations in this topic to enable this feature without system boot failures. This topic uses CentOS 7.2 64-bit as an example.

Enable SELinux

  1. Remotely connect to an ECS instance as a root user. For more information, see Overview.
  2. Run the following command on an instance to modify the config file of SELinux: 
    vi /etc/selinux/config
  3. Find SELINUX=disabled, press the i key to enter edit mode, and then enable SELinux by modifying this parameter.
    SELINUX=disabled

    You can modify the parameter to one of the following modes as needed:

    • SELINUX=enforcing: indicates that all security policy violations will be prohibited.
    • SELINUX=permissive: indicates that security policy violations will not be prohibited but will be recorded in the operation logs.
  4. After the parameter has been modified, press the Esc key and run the :wq command to save and close the file.
    Note You must restart the instance before you modify the config file. However, if you restart the instance directly, the system will fail to start. Therefore, you must create an autorelabel file in the root directory before you restart the system.
  5. Create an autorelabel file. After the instance is restarted, SELinux will automatically relabel all system files. 
    touch /.autorelabel
  6. Restart the ECS instance. 
    shutdown -r now

Check SELinux status

  1. Remotely connect to an ECS instance as a root user. For more information, see Overview.
  2. Run the getenforce command to check the status of SELinux.
    The return value can be enforcing or permissive. The return value in this topic is enforcing.
  3. Run the sestatus command to query more information about SELinux.

    If the return value of SELinux status is enabled, SELinux is enabled.

Disable SELinux

  1. Remotely connect to an ECS instance as a root user. For more information, see Overview.
  2. Run the getenforce command to check the status of SELinux.
    If the return value is enforcing, SELinux is enabled.
  3. Disable SELinux temporarily or permanently.
    • Run the setenforce 0 command to disable SELinux temporarily.
    • Disable SELinux permanently.
      1. Run the following command to edit the config file of SELinux: 
        vi /etc/selinux/config
      2. Find SELINUX=enforcing, press the I key to enter edit mode, and then modify the parameter to SELINUX=disabled.SELINUX=enforcing
      3. After that, press the Esc key and run the :wq command to save and close the file.
      4. Restart the ECS instance. 
        shutdown -r now
      5. After the instance has been restarted, run the getenforce command to check the status of SELinux. If the return value is disabled, SELinux is disabled.

What to do next

You can create a custom image from an ECS instance that has SELinux enabled. Then, you can create more SELinux-enabled instances from this custom image as needed.