Linux - System Preferences - Configure and Enable SELinux

What the SELinux Configuration Worklet does

This Automox Worklet™ configures Security-Enhanced Linux (SELinux) for optimal security by setting it to enforcing mode with the targeted policy type. The Worklet also verifies that SELinux is not disabled in the GRUB boot configuration.

SELinux provides mandatory access control (MAC) that restricts what processes can do beyond standard Linux permissions. The enforcing mode actively denies unauthorized access attempts, while the targeted policy type focuses protection on network-facing services while allowing most user applications to run normally.

The Worklet modifies /etc/selinux/config to set SELINUX=enforcing and SELINUXTYPE=targeted. It also removes any selinux=0 or enforcing=0 boot parameters from GRUB configuration files.

Why configure SELinux on your endpoints

SELinux provides defense-in-depth by limiting damage from compromised applications. Even if an attacker exploits a vulnerability in a service, SELinux policies prevent lateral movement and privilege escalation beyond the service's allowed operations.

Many compliance frameworks require mandatory access controls on Linux systems. CIS Distribution Independent Linux Benchmark explicitly recommends SELinux in enforcing mode. Organizations subject to PCI-DSS, HIPAA, or SOC 2 often implement SELinux as part of their security baseline.

The Worklet automates SELinux configuration across your fleet, replacing manual endpoint-by-endpoint hardening. Scheduled policy runs maintain compliance by detecting and correcting configuration drift.

How SELinux configuration works

1. Evaluation phase: The Worklet reads /etc/selinux/config to check the SELINUX and SELINUXTYPE settings. It also detects the boot loader (GRUB or GRUB2) and checks for selinux=0 or enforcing=0 parameters in boot configuration. If any check fails, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet removes SELinux disable parameters from GRUB configuration using sed and regenerates the boot configuration with update-grub or grub2-mkconfig. It sets SELINUX=enforcing and SELINUXTYPE=targeted in /etc/selinux/config. A final verification confirms all settings are correct.

SELinux configuration requirements

• Linux distribution with SELinux support (RHEL, CentOS, Fedora, or compatible)

• SELinux configuration file present at /etc/selinux/config

• GRUB or GRUB2 boot loader

• Root or sudo privileges

• Reboot required after changes for full enforcement

Expected SELinux state after configuration

After successful remediation, /etc/selinux/config contains SELINUX=enforcing and SELINUXTYPE=targeted. You can verify the configuration by examining the relevant configuration files. The GRUB configuration no longer contains parameters that disable SELinux at boot time.

The Worklet recommends rebooting the endpoint to fully activate SELinux changes. After reboot, running getenforce returns Enforcing, and running sestatus shows SELinux status as enabled with targeted policy type. Applications running on the endpoint operate under SELinux access controls.

How to validate configure and enable selinux changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for configure and enable selinux.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, function, elif.

4. Validate remediation effects from script operations such as exit, function, elif, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for configure and enable selinux. This supports repeatable system preferences workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, function, elif and remediation operations such as exit, function, elif. Use these indicators to verify that endpoint changes match intended policy outcomes.