Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise Micro Documentation / Deployment Guide / Manual installation / Installation steps
Applies to SUSE Linux Enterprise Micro 5.4

12 Installation steps

This chapter describes the procedure in which the data for SUSE Linux Enterprise Micro is copied to the target device. Some basic configuration parameters for the newly installed system are set during the procedure. A graphical user interface will guide you through the installation. The text-mode installation has the same steps but looks different. For information about performing non-interactive automated installations, see AutoYaST Guide.

If you are a first-time user of SUSE Linux Enterprise Micro, you should follow the default YaST proposals in most parts, but you can also adjust the settings as described here to fine-tune your system according to your preferences. Help for each installation step is provided by clicking Help.

Tip
Tip: Installation without a mouse

If the installer does not detect your mouse correctly, use →| for navigation, arrow keys to scroll, and Enter to confirm a selection. Various buttons or selection fields contain a letter with an underscore. Use AltLetter to select a button or a selection directly instead of navigating there with →|.

12.1 Overview

This section provides an overview of all installation steps. Each step contains a link to a more detailed description.

  1. At first, YaST performs network configuration. For details, refer to Section 12.2, “Network settings”.

  2. The actual installation starts with language and keyboard selection and the license agreement. For details, refer to Section 12.3, “Language, Keyboard, and License Agreement”.

  3. Accept the license agreement to proceed to the next step.

  4. IBM Z machines need to activate disks. For details, see Section 12.4, “IBM Z: disk activation”.

  5. Register your system. For details, refer to Section 12.5, “Registration”.

  6. Install available extensions. For details, refer to Section 12.6, “Extension and Module Selection”

  7. Configure NTP servers as described in Section 12.7, “NTP Configuration”.

  8. Set a password for the system administrator root. For details, refer to Section 12.8, “Authentication for the System Administrator root.

  9. The last installation step is an overview of all installation settings. For details, refer to Section 12.9, “Installation Settings”.

12.2 Network settings

After booting into the installation, the installation routine is set up. During this setup, an attempt to configure at least one network interface with DHCP is made. In case this attempt has failed, the Network Settings dialog launches now.

Network settings
Figure 12.1: Network settings

Choose a network interface from the list and click Edit to change its settings. Use the tabs to configure DNS and routing. On IBM Z this dialog does not start automatically. It can be started in the Disk Activation step.

In case DHCP was successfully configured during installation setup, you can also access this dialog by clicking Network Configuration at the SUSE Customer Center Registration and the Installation Settings step. It lets you change the automatically provided settings.

Note
Note: Network configuration with boot parameters

If at least one network interface has been configured via boot parameters (see Section 11.3.2, “Configuring the network interface”), automatic DHCP configuration is disabled and the boot parameter configuration is imported and used.

Tip
Tip: Accessing network storage or local RAID

To access a SAN or a local RAID during the installation, you can use the libstorage command line client for this purpose:

  1. Switch to a console with CtrlAltF2.

  2. Install the libstoragemgmt extension by running extend libstoragemgmt.

  3. Now you have access to the lsmcli command. For more information, run lsmcli --help.

  4. To return to the installer, press AltF7

Supported are Netapp Ontap, all SMI-S compatible SAN providers, and LSI MegaRAID.

12.3 Language, Keyboard, and License Agreement

License agreement
Figure 12.2: License agreement

The Language and Keyboard Layout settings are initialized with the language you chose on the boot screen. If you did not change the default, it will be English (US). Change the settings here, if necessary.

Changing the language will automatically preselect a corresponding keyboard layout. Override this proposal by selecting a different keyboard layout from the drop-down box. Use the Keyboard Test text box to test the layout. The language selected here is also used to assume a time zone for the system clock.

By clicking Release notes you can access the SLE Micro release notes in English.

Read the License Agreement. It is presented in the language you have chosen on the boot screen. Translations are available via the License Translations › Language drop-down box. If you agree to the terms, check I Agree to the License Terms and click Next to proceed with the installation. If you do not agree to the license agreement, you cannot install SUSE Linux Enterprise Micro. Click Abort to terminate the installation.

12.4 IBM Z: disk activation

When installing on IBM Z platforms, the language selection dialog is followed by a dialog to configure the attached hard disks.

Disk activation
Figure 12.3: Disk activation

Select DASD, Fibre Channel Attached SCSI Disks (zFCP), or iSCSI for installation of SUSE Linux Enterprise Micro. The DASD and zFCP configuration buttons are only available if the corresponding devices are attached.

You can also change the Network Configuration in this screen by launching the Network Settings dialog. Choose a network interface from the list and click Edit to change its settings. Use the tabs to configure DNS and routing.

12.4.1 Configuring DASD disks

Skip this step if you are not installing on IBM Z hardware.

DASD disk management
Figure 12.4: DASD disk management

After selecting Configure DASD Disks, an overview lists all available DASDs. To get a clearer picture of the available devices, use the text box located above the list to specify a range of channels to display. To filter the list according to such a range, select Filter.

Specify the DASDs to use for the installation by selecting the corresponding entries in the list. Use Select All to select all DASDs currently displayed. Activate and make the selected DASDs available for the installation by selecting Perform Action › Activate. To format the DASDs, select Perform Action › Format.

12.4.2 Configuring zFCP disks

Skip this step if you are not installing on IBM Z hardware.

Configured zFCP Devices
Figure 12.5: Configured zFCP Devices

After selecting Configure zFCP Disks, a dialog with a list of the zFCP disks available on the system opens. In this dialog, select Add to open another dialog in which to enter zFCP parameters.

To make a zFCP disk available for the SUSE Linux Enterprise Micro installation, choose an available Channel Number from the drop-down box. Get WWPNs (World Wide Port Number) and Get LUNs (Logical Unit Number) return lists with available WWPNs and FCP-LUNs, respectively, to choose from. Automatic LUN scanning only works with NPIV enabled.

When completed, exit the zFCP dialog with Next and the general hard disk configuration dialog with Finish to continue with the rest of the configuration.

12.5 Registration

Registration
Figure 12.6: Registration

To get technical support and product updates, you need to register and activate SUSE Linux Enterprise Micro with the SUSE Customer Center or a local registration server. Registering your product at this stage also grants you immediate access to the update repository. This enables you to install the system with the latest updates and patches available.

From this dialog, you can switch to the YaST Network Settings module by clicking Network Configuration.For details, see Section 12.2, “Network settings”.

The dialog offers the following possibilities, each described further:

Register system via scc.suse.com

To register with the SUSE Customer Center, enter the E-mail Address associated with your SCC account and the Registration Code for SUSE Linux Enterprise Micro. Proceed with Next.

Register system via local RMT server

If your organization provides a local registration server, you may alternatively register there. Activate Register System via local RMT Server and either choose a URL from the drop-down box or type in an address. Proceed with Next.

Skip registration

If you want to skip registration or you are offline, click Skip Registration. Accept the warning with OK and proceed with Next.

Important
Important: Skipping registration

Your system needs to be registered in order to retrieve updates and to be eligible for support. You can register later, after the installation by using SUSEConnect, for details, see Section 10.1, “Registration”.

Tip
Tip: Installing product patches at installation time

After SUSE Linux Enterprise Micro has been successfully registered, you are asked whether to install the latest available online updates during the installation. If choosing Yes, the system will be installed with the most current packages without having to apply the updates after installation. Activating this option is recommended.

If the system was successfully registered during installation, YaST will disable repositories from local installation media such as CD/DVD or flash disks when the installation has been completed. This prevents problems if the installation source is no longer available and ensures that you always get the latest updates from the online repositories.

12.5.1 Loading registration codes from USB storage

To make the registration more convenient, you can also store your registration codes on a USB storage device such as a flash disk. YaST will automatically pre-fill the corresponding text box. This is particularly useful when testing the installation or if you need to register many systems or extensions.

Create a file named regcodes.txt or regcodes.xml on the USB disk. If both are present, the XML takes precedence.

In that file, identify the product with the name returned by zypper search --type product and assign it a registration code as follows:

Example 12.1: regcodes.txt
SLEMicro    cc36aae1
Example 12.2: regcodes.xml
<?xml version="1.0"?>
<profile xmlns="http://www.suse.com/1.0/yast2ns"
 xmlns:config="http://www.suse.com/1.0/configns">
  <suse_register>
    <addons config:type="list">
      <addon>
<name>SLEMicro</name>
<reg_code>cc36aae1</reg_code>
      </addon>
     </addons>
  </suse_register>
</profile>
Note
Note: Limitations

Currently flash disks are only scanned during installation or upgrade, but not when registering a running system.

12.6 Extension and Module Selection

Extensions
Figure 12.7: Extensions

SLE Micro currently offers the following extensions:

SUSE Linux Enterprise Live Patching

extension that enables you to apply critical patches without rebooting your system. Bear in mind that you might need an additional subscription on top of the subscription for SLE Micro.

If you enabled the SUSE Linux Enterprise Live Patching extension, you need to configure your system as described in Procedure 10.2, “Completing activation of the SUSE Linux Enterprise Live Patching.

Note
Note: Availability of the SUSE Linux Enterprise Live Patching extension

The SUSE Linux Enterprise Live Patching extension is available only for the x86 (except for the real-time kernel) and IBM Z architectures.

SUSE Package Hub

A free module that provides access to community-maintained packages. Packages in the Package Hub are approved by SUSE for use on SUSE Linux Enterprise Server, thus the packages might not be installable on SLE Micro.

To enable a module, click the corresponding checkbox and then Next to proceed.

12.7 NTP Configuration

NTP configuration
Figure 12.8: NTP configuration

In order to keep time on your system properly synchronized, configure at least one NTP server. You can enter more NTP servers as a comma or space separated list.

12.8 Authentication for the System Administrator root

Authentication for root
Figure 12.9: Authentication for root

Configure a strong password for root. If your root password is randomly generated, use at least 10 characters. If you set your root password manually, use a longer password that includes a combination of uppercase and lowercase letters and numbers. The maximum length for passwords is 72 characters, and passwords are case-sensitive.

If you want to access the system remotely via SSH using a public key, import a key from a removable storage device or an existing partition. To do so click Browse and select the public SSH key.

Click Next to proceed to the next installation step.

12.9 Installation Settings

Installation Settings
Figure 12.10: Installation Settings

To access a particular setting, click the respective heading. Or some options can be directly changed on the screen by clicking the button next to the option.

12.9.1 Partitioning

Suggested partitioning
Figure 12.11: Suggested partitioning
Warning
Warning: The use of Btrfs and snapshots is mandatory.

SLE Micro requires Btrfs on the root partition with snapshots and Snapper enabled. Snapper is enabled by default—do not disable it afterwards.

Custom partitioning on UEFI machines

A UEFI machine requires an EFI system partition that must be mounted to /boot/efi. This partition must be formatted with the FAT32 file system.

If an EFI system partition is already present on your system (for example from a previous Windows installation) use it by mounting it to /boot/efi without formatting it.

If no EFI system partition is present on your UEFI machine, make sure to create it. The EFI system partition must be a physical partition or RAID 1. Other RAID levels, LVM and other technologies are not supported. It needs to be formatted with the FAT32 file system.

Custom partitioning and Snapper

If the root partition is larger than 12 GB, SUSE Linux Enterprise Micro by default enables file system snapshots. It is not recommended to use the root partition smaller than 12 GB, because it might cause issues when running SLE Micro.

SUSE Linux Enterprise Micro uses Snapper together with Btrfs for this feature. Btrfs needs to be set up with snapshots enabled for the root partition.

Being able to create system snapshots that enable rollbacks requires important system directories to be mounted on a single partition, for example /usr. Only directories that are excluded from snapshots may reside on separate partitions, for example /usr/local, /var, and /tmp.

The installer will automatically create single snapshots during and immediately after the installation.

Important
Important: Btrfs snapshots and root partition size

Snapshots may take considerable storage space. Generally, the older a snapshot is or the larger the change set it covers, the more storage space the snapshot takes. And the more snapshots you keep, the more disk space you need.

To prevent the root partition running full with snapshot data, you need to make sure it is big enough. In case you do frequent updates or other installations, consider at least 40 GB for the root partition.

Btrfs data volumes

Using Btrfs for data volumes is supported on SUSE Linux Enterprise Micro 5.4. For applications that require Btrfs as a data volume, consider creating a separate file system with quota groups disabled. This is already the default for non-root file systems.

Btrfs on an encrypted root partition

The default partitioning setup suggests formatting the root partition to Btrfs. To encrypt the root partition, make sure to use the GPT partition table type instead of the MSDOS type. Otherwise the GRUB2 boot loader may not have enough space for the second stage loader.

IBM Z: Using minidisks in z/VM

If SUSE Linux Enterprise Micro is installed on minidisks in z/VM, which reside on the same physical disk, the access path of the minidisks (/dev/disk/by-id/) is not unique. This is because it represents the ID of the physical disk. If two or more minidisks are on the same physical disk, they all have the same ID.

To avoid problems when mounting minidisks, always mount them either by path or by UUID.

IBM Z: LVM root file system

If you configure the system with a root file system on LVM or software RAID array, you must place /boot on a separate, non-LVM or non-RAID partition, otherwise the system will fail to boot. The recommended size for such a partition is 500 MB and the recommended file system is Ext4.

Supported software RAID volumes

Installing to and booting from existing software RAID volumes is supported for Disk Data Format (DDF) volumes and Intel Matrix Storage Manager (IMSM) volumes. IMSM is also known by the following names:

Mount points for FCoE and iSCSI devices

FCoE and iSCSI devices will appear asynchronously during the boot process. While the initrd guarantees that those devices are set up correctly for the root file system, there are no such guarantees for any other file systems or mount points like /usr. Hence any system mount points like /usr or /var are not supported. To use those devices, ensure correct synchronization of the respective services and devices.

In case you need to adjust the partitioning scheme, click the Partitioning menu to open the Suggested partitioning dialog box.

The installer creates a proposal for one of the available disks containing a root partition formatted with Btrfs and a swap partition. If one or more swap partitions have been detected on the available hard disks, these partitions will be used. You have several options to proceed:

Accept

Click Accept to accept the proposal without any changes and return to the Installation Settings screen.

Guided setup

To adjust the proposal, choose Guided Setup. First, choose which hard disks and partitions to use. In the Partitioning Scheme screen, you can enable Logical Volume Management (LVM) and activate disk encryption. Afterward specify the Filesystem Options. You can adjust the file system for the root partition and create a separate home and swap partitions. If you plan to suspend your machine, make sure to create a separate swap partition and check Enlarge to RAM Size for Suspend. If the root file system format is Btrfs, you can also enable or disable Btrfs snapshots here.

Expert Partitioner

To create a custom partition setup, click Expert Partitioner. Select either Start with Current Proposal if you want start with the suggested disk layout, or Start with Existing Partitions to ignore the suggested layout and start with the existing layout on the disk. For details, refer to Section 12.9.1.1, “Expert Partitioner”.

12.9.1.1 Expert Partitioner

Expert Partitioner
Figure 12.12: Expert Partitioner

Expert partitioner enables you to set up logical volume management (LVM), configure software RAID and device mapping (DM), encrypt partitions, mount NFS shares and manage tmpfs volumes. To fine-tune settings such as the subvolume and snapshot handling for each Btrfs partition, choose Btrfs.

All existing or suggested partitions on all connected hard disks are displayed in the left part of the Expert Partitioner dialog. Entire hard disks are listed as devices without numbers, such as /dev/sda (or /dev/dasda). Partitions are listed as parts of these devices, such as /dev/sda1 (or /dev/dasda1, respectively). The size, type, encryption status, file system, and mount point of the hard disks and their partitions are also displayed. The mount point describes where the partition appears in the Linux file system tree.

12.9.1.1.1 Partition tables

SUSE Linux Enterprise Micro allows to use and create different partition tables. In some cases the partition table is called disk label. The partition table is important to the boot process of your computer. To boot your machine from a partition in a newly created partition table, make sure that the table format is supported by the firmware.

To change the partition table, click the relevant disk name in the left part and choose Device › Create New Partition Table. You can create the following partition tables:

Master boot record

The master boot record (MBR) is the legacy partition table used on IBM PCs. It is sometimes also called an MS-DOS partition table. The MBR only supports four primary partitions. If the disk already has an MBR, SUSE Linux Enterprise Micro allows you to create additional partitions in it which can be used as the installation target.

The limit of four partitions can be overcome by creating an extended partition. The extended partition itself is a primary partition and can contain more logical partitions.

GPT partition table

UEFI computers use a GUID Partition Table (GPT) by default. SUSE Linux Enterprise Micro will create a GPT on a disk if no other partition table exists.

Old BIOS firmware does not support booting from GPT partitions.

You need a GPT partition table to use more than four primary partitions, UEFI Secure Boot or use disks larger than 2 TB.

12.9.1.1.2 Creating partitions

The expert partitioner enables you to add partitions. Bear in mind that the root file system must be formatted to Btrfs and snapshots must be enabled.

The procedure below creates a Btrfs partition with enabled snapshots.

  1. Select the desired hard disk in the left part and click Add Partition.

  2. Define size of the partition or define the region of disk for the partition. Proceed with Next

    Image
  3. Select a role:

    Image
  4. Format and mount the partition as needed and proceed with Next:

    Image
  5. (Optional) If you chose to encrypt the partition, enter the encryption password and complete the process with Next:

    Image
12.9.1.1.3 Creating volume groups

To create a volume group follow these steps:

Procedure 12.1: Creating volume groups
  1. Create partitions with the following attributes:

    • the partitions are not mounted

    • PartitionID is Linux LVM

  2. Click LVM Volume Groups › Add Volume Group

  3. Select partitions to be added to the volume group and click Add. Name the volume group, select the Physical Extent Size and click Next to proceed further.

    Image
12.9.1.1.4 Creating RAIDs

SLE Micro supports the following RAID levels: 0, 1, 5, 6 and 10. To create a RAID follow proceed as follows:

Procedure 12.2: Creating RAID
  1. Create partitions (the count of partitions depend on the RAID level) with these parameters:

    • The partitions have the Raw Volume role assigned.

    • The partitions are not formatted to any file system.

    • The partitions are not mounted.

    • The partitions have the Linux RAID PartitionID.

  2. Click RAID in the left pane and then click Add RAID. The Add RAID dialog box opens.

  3. Choose the partitions and add them to the RAID. Select RAID level and optionally you can name the RAID. Proceed with Next.

    Image
  4. Select the Chunk Size. The default value is usually sufficient. Click Next.

  5. In the Device Overview select the created RAID and click Edit.

  6. Select a role of the RAID and click Next.

  7. Format and mount the device and optionally you can select that the RAID will be encrypted.

12.9.2 Software

Software configuration
Figure 12.13: Software configuration

SUSE Linux Enterprise Micro contains several software patterns for various application purposes. Click Software to open the Software Selection and System Tasks screen where you can modify the pattern selection according to your needs. Select a pattern from the list and see a description in the right-hand part of the window.

In this menu you can select the Web based remote system managment pattern that will install Cockpit system. Cockpit is a web monitoring tool that enables you to administer your system. For details, refer to Section 2, “Getting Cockpit”.

Here you can also select the KVM Virtualization Host pattern to install packages required to run SLE Micro as a KVM host server (Xen is not supported). However, you should consider the limitations of SLE Micro running as a KVM host server; for details, refer to virtualization limits and support.

Each pattern contains several software packages needed for specific functions (for example Podman). For a more detailed selection based on software packages to install, select Details to switch to the YaST Software Manager.

12.9.3 Timezone

Time zone configuration
Figure 12.14: Time zone configuration

By default, the time is synchronized by using the NTP servers you provided in the previous steps of the installation procedure. You can select the region and time zone either by clicking a particular place on the map or by selecting a region and time zone in the drop-down menus.

Important
Important: Set the hardware clock to UTC

The switch from standard time to daylight saving time (and vice versa) can only be performed automatically when the hardware clock (CMOS clock) is set to UTC. This also applies if you use automatic time synchronization with NTP, because automatic synchronization will only be performed if the time difference between the hardware and system clock is less than 15 minutes.

Since a wrong system time can cause serious problems, it is strongly recommended to always set the hardware clock to UTC.

The button Other settings enables you to set the date and time manually or configure NTP servers synchronization.

If you want to set the time and date manually, click the Other settings button and select Manually.

Note
Note: Time cannot be changed on IBM Z

Since the operating system is not allowed to change time and date directly, the Other Settings option is not available on IBM Z.

12.9.4 Network Configuration

Network is automatically configured at the beginning of the installation process, but if it is necessary you can change the configuration by clicking Network Configuration. A dialog box opens, for details refer to Section 12.2, “Network settings”.

SLE Micro uses NetworkManager by default, but you can switch to wicked by clicking switch to wicked. Bear in mind that after the installation is complete, you cannot switch the network managing service to NetworkManager.

12.9.5 Booting

Booting
Figure 12.15: Booting

The installer proposes a boot configuration for your system. Other operating systems found on your computer, such as Microsoft Windows or other Linux installations, will automatically be detected and added to the boot loader. However, SUSE Linux Enterprise Micro will be booted by default. Normally, you can leave these settings unchanged. If you need a custom setup, modify the proposal according to your needs.

Important
Important: Software RAID 1

Booting a configuration where /boot resides on a software RAID 1 device is supported, but it requires installing the boot loader into the MBR (Boot Loader Location › Boot from Master Boot Record). Having /boot on software RAID devices with a level other than RAID 1 is not supported.

12.9.6 Kdump

Kdump configuration
Figure 12.16: Kdump configuration

Using Kdump, you can save a dump of the kernel (in case of a crash) to analyze what went wrong. By default, Kdump is enabled. By clicking Kdump you open a dialog box for configuring Kdump.

Start-Up

Here you can disable Kdump and configure the amount of memory reserved for Kdump. Usually you do not have to change the prefilled values.

Dump Filtering

Dump filtering enables you to select which pages will be included in the Kdump, and to define the format of of Kdump.

Dump Target

You can select a local directory or you can save KDump to a remote location. If you prefer a remote location, you also need to configure connection details according to the respective protocol.

Email Notifications

To receive email notifications if an event occurs, specify an email address.

Expert Settings

This option enables you to define command-line parameters, custom kernel dump and other advanced settings related to Kdump.

12.9.7 System

System overview
Figure 12.17: System overview

This screen lists all the hardware information the installer could obtain about your computer. When opened for the first time, the hardware detection is started. Depending on your system, this may take some time. Select any item in the list and click Details to see detailed information about the selected item. Use Save to File to save a detailed list to either the local file system or a removable device.

Advanced users can also change the PCI ID Setup and kernel settings by choosing Kernel Settings. A screen with two tabs opens:

PCI ID setup

Each kernel driver contains a list of device IDs of all devices it supports. If a new device is not in any driver's database, the device is treated as unsupported, even if it can be used with an existing driver. You can add PCI IDs to a device driver here. Only advanced users should attempt to do so.

To add an ID, click Add and select whether to Manually enter the data, or whether to choose from a list. Enter the required data. The SysFS Dir is the directory name from /sys/bus/pci/drivers—if empty, the driver name is used as the directory name. Existing entries can be managed with Edit and Delete.

Kernel settings

Activating the Enable SysRq Keys item, will let you issue basic commands (such as rebooting the system or writing kernel dumps) in case the system crashes. Enabling these keys is recommended when doing kernel development. Refer to https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html for details.

12.9.8 Security

Security configuration
Figure 12.18: Security configuration
Important
Important: Do not use firewall along with Podman

Using firewall along with Podman may result in missing Podman-related firewall rules after reloading the firewalld service. Therefore, it is recommended to keep the firewall in its default setting (disabled) if you intend to use Podman.

You can enable the firewall or disable the SSH service directly by clicking the respective button. Clicking on the button next to CPU mitigations opens the Boot Loader Settings dialog box, where you can change kernel parameters including the CPU mitigations configuration.

The CPU Mitigations refer to kernel boot command line parameters for software mitigations that have been deployed to prevent CPU side-channel attacks. You can configure the following values:

Auto

All CPU side channel mitigations are enabled as they are detected based on the CPU type. The auto-detection handles both unaffected older CPUs and unaffected newly released CPUs and transparently disables mitigations. This options leave SMT enabled.

Off

All CPU side channel mitigations are disabled. While this option gives the higher performance, it also bears the highest risk. Do not use this setting where there is a risk of untrusted code.

Auto + No Smt

All CPU side channel mitigations are enabled as they are detected based on the CPU type. Additionally the symmetric multi-threading of the CPU is disabled if necessary, for instance to mitigate the L1 Terminal Fault side channel issue.

Manually

CPU mitigations are detected manually.

By default, the firewall is disabled. Click enable to change the default.

The SSH service is enabled by default. Click disable to change the setting. If you disable the SSH service, you will not be able to login to your system remotely. The SSH port (22) is open by default.

The default SELinux option is enforcing. You can change the value by clicking Security and selecting another option in the Mode menu.

In the Security dialog box, you can also select PolicyKit privileges in the PolicyKit Default Privilegs dropdown menu.