2.1.1 Enabling SELinux

You can enable SELinux on Exadata by using the host_access_control utility.

1. Set the SELinux mode.

   You can configure SELinux to operate in permissive mode or enforcing mode:

   • In permissive mode, SELinux actively monitors the system and records policy violations in the audit logs. However, no actions are blocked in permissive mode.

     To specify permissive mode, use the following command:

     # /opt/oracle.cellos/host_access_control selinux --permissive

     It is strongly recommended to initially enable SELinux in permissive mode for some time to ensure that the predefined Exadata security policy works in conjunction with all of the applications and procedures at your site.

   • When enforcing mode is enabled, SELinux actively blocks policy violations and records interventions in the audit logs.

     To specify enforcing mode, use the following command:

     # /opt/oracle.cellos/host_access_control selinux --enforcing

2. Command the system to perform relabeling.

   Under SELinux, each file is associated with a context, or security label, that governs its use. When SELinux is first enabled, you must relabel the system to ensure that the files are associated with the appropriate security context.

   The following command instructs the system to perform relabeling.

   # /opt/oracle.cellos/host_access_control selinux --relabel

   The command instructs the system to perform relabeling by touching the file located at /.autorelabel. However, the relabeling process occurs as part of the next system reboot.

3. Reboot the system.

   A system reboot is required to perform relabeling and enable SELinux.