Enabling SELinux in Permissive Mode

Overview

Enabling Security-Enhanced Linux (SELinux) in permissive mode on TufinOS will audit all operations that violate your security policies. Permissive mode only logs; it does not enforce.

In TufinOS 4, SELinux is supported from TufinOS 4.30.

Enable SELinux

  1. In the file/etc/selinux/config, add or modify the values as follows:

    SELINUX=permissive
    SELINUX=permissive
    SELINUXTYPE=targeted
    SELINUXTYPE=targeted

  2. Run the following command to remove selinux=0 for all kernels:

    grubby --remove-args="selinux=0" --update-kernel=ALL
    grubby --remove-args="selinux=0" --update-kernel=ALL

  3. Verify that selinux=0 is removed for all kernels:

    grubby --info=ALL
    grubby --info=ALL

  4. Run the following command to relabel the file system at system reboot: 

    touch /.autorelabel
    touch /.autorelabel

  5. Reboot the machine:

    reboot
    reboot

  6. Wait for the file system relabeling to finish. It might take a while.

    File system relabeling at reboot:

  7. After the machine reboots, run the following command as the root user to check the SELinux in permissive mode. 

    getenforce
    getenforce

    If the procedure was successful, the response will be Permissive. Otherwise, it will be Disabled.