Security-enhanced Linux (SELinux) is a Linux kernel feature that provides a security policy-based protection mechanism for access control. This topic describes how to enable or disable SELinux and avoid system boot failures.
Prerequisites
An ECS instance is created from an Alibaba Cloud public image or a custom image.
Background information
Typically, enabled SELinux can enhance system security. However, it can damage files in the operating system and lead to system boot failures. If your enterprise or team has high requirements on security and SELinux must be enabled for your operating systems, you can perform operations in this topic to enable SELinux and avoid system boot failures. In this topic, the CentOS 7.2 64-bit operating system is used.
Enable SELinux
- Connect to an ECS instance. For more information about connection methods, see Connection methods .
- Run the following command on an instance to modify the
config
file of SELinux:sudo vi /etc/selinux/config
- Find
SELINUX=disabled
, press thei
key to enter the edit mode, and then enable SELinux by modifying this parameter.You can modify the parameter to one of the following modes:
SELINUX=enforcing
: indicates that all security policy violations will be prohibited.SELINUX=permissive
: indicates that security policy violations will not be prohibited but will be recorded in the operation logs.
- Press the
Esc
key and run the:wq
command to save and close the file.Note After you modify theconfig
file, you must restart the instance for the modification to take effect. However, if you restart the instance directly, the system may fail to start. You need to create anautorelabel
file under the root directory before you restart the instance. - Create the hidden
autorelabel
file under the root directory. After the instance is restarted, SELinux automatically relabels all system files.sudo touch /.autorelabel
- Restart the ECS instance.
sudo shutdown -r now
Check SELinux status
- Connect to an ECS instance. For more information about connection methods, see Connection methods .
- Run the
getenforce
command to check the status of SELinux.The return value can beenforcing
orpermissive
. The return value in this topic isEnforcing
. - Run the
sestatus
command to query more information about SELinux.If the return value ofSELinux status
isenabled
, SELinux is enabled.
Disable SELinux
- Connect to an ECS instance. For more information about connection methods, see Connection methods .
- Run the
getenforce
command to check the status of SELinux.If the return value isenforcing
, SELinux is enabled. - Disable SELinux temporarily or permanently.
- Run the
setenforce 0
command to disable SELinux temporarily. - Disable SELinux permanently.
- Run the following command to edit the
config
file of SELinux:sudo vi /etc/selinux/config
- Find
SELINUX=enforcing
, press thei
key to enter the edit mode, and then modify the parameter toSELINUX=disabled
. - Press the
Esc
key and run the:wq
command to save and close the file. - Restart the ECS instance.
sudo shutdown -r now
- Run the
getenforce
command to check the status of SELinux. If the return value isDisabled
, SELinux is disabled.
- Run the following command to edit the
- Run the
What to do next
You can create a custom image from an ECS instance that has SELinux enabled. Then, you can create more SELinux-enabled instances from this custom image.