# SELinux

安全增強式 Security-Enhanced Linux（SELinux）是一個在內核中實踐的強制存取控制（MAC）安全性機制。SELinux 首先在 CentOS 4 出現，並在其後的 CentOS 發行版本獲得重大改善。這些改善代表用 SELinux 解決問題的方法亦隨著時間而改變。

##### 基本指令

To check if SELinux is enabled

```
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

# getenforce
Permissive
```

To temporarily set SELinux to Enforcing/Permissive

```
# setenforce 1   // Enforcing

# setenforce 0   // Permissive

```

Permanently change SELinux  
Edit the file /etc/selinux/config

```
## Change this line 
SELinux=disabled
```

##### Find Files with SELinux Security Context

```bash
# With the find command
find ~/UbuntuMint -type f -context '*httpd_sys_content_t*' -name '*.txt'

# With the ls command
ls -Z | grep 'object_r:user_home_t' | grep '\.txt$'
```

##### 延伸閱讀

- [A sysadmin's guide to SELinux: 42 answers to the big questions](https://opensource.com/article/18/7/sysadmin-guide-selinux)
- [CentOS: SELinux](https://wiki.centos.org/zh-tw/HowTos/SELinux)
- [Securing Linux with SELinux (or AppArmor)](https://linuxblog.io/securing-linux-selinux-apparmor/)