Okay, need a little help from the SELinux juggernauts.
I've got my RHEL 8.4 system configured to use an SELinux type of targeted. I've restarted my system several times. However, when I run the sestatus command, I see the following output:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Why do I see "enabled" on the "Policy MLS status" line?
I also get an output of "1" when I execute the following command:
# cat /sys/fs/selinux/mls
What am I forgetting? What am I missing? What? What? It's things like this that have me using Vidal Sassoon Hair Color.
What does your /etc/sysconfig/selinux file look like?
Maybe SELINUXTYPE=mls is set in the file as opposed to SELINUXTYPE=targeted ... ?
Actually, mine says the same thing even though SELINUXTYPE=targeted is set on my system.
So, your question lead to me: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/using-mu...
And, after downloading the doc as a PDF (for easier searching), I found that the answer isn't there, either.
My best guess is that it means that the kernel build supports it, even if it isn't used per the configuration settings.
Anyone else have an idea?
Thanks for weighing in TB. I didn't mention the /etc/selinux/config (same as /etc/sysconfig/selinux) file in my initial post, but I promise you, I examined that
bad boy as well. It was because of what I did see in this file that caused the
Just for completeness, here's what the file looks like:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
Thanks for your educated guess. It's more than I had, so maybe I can build on that if I don't receive any definitive response(s) from other members in the community. Hope you're safe and well!!!
That was my sense as well. When examining various SE policies, the :sx part of the policy refers to the MLS security sensivity element and by default the value is 0 so it is enabled but everything is considered non-sensitive.
Thanks for your input. I'll add your response
to the other input that I receive to distil a definite
Hope you're safe and well.
Thanks for your input. I'll take your information,
and add it to the other responses. Ultimately, I
want to be able to compose a definitive answer.
Thanks again for contributing.