Turning off or disabling SELinux
SELinux is a set of extra security restrictions on top of the normal Linux security tools. It gives the systems administrator a finer grain of control than what the kernel typically provides.
But SELINUX can sometimes get in your way. For example, I have had typical services, such as Apache, appear to start up correctly, but remain inaccessible from the outside world because I forgot to allow the apache user rights to open that port or maybe my distro forgot about it. Before you turn off SELinux make sure you know why you are turning it off and the security concerns you might be opening yourself up to.
Test if SELinux is running
You can test to see if SELinux is currently enabled with the following command:
selinuxenabled && echo enabled || echo disabled
Turning off SELinux temporarily
Disabling SELinux temporarily is the easiest way to determine if the problem you are experiencing is related to your SELinux settings. To turn it off, you will need to become the root users on your system and execute the following command:
echo 0 > /selinux/enforce
This temporarily turns off SELinux until it is either re-enabled or the system is rebooted. To turn it back on you simply execute this command:
echo 1 > /selinux/enforce
As you can see from these commands what you are doing is setting the file /selinux/enforce to either '1' or '0' to denote 'true' and 'false'.
Configuring SELinux to log warnings instead of block
You can also configure SELinux to give you a warning message instead of actually prohibiting the action. This known as permissive mode. To change SELinux's behavior to permissive mode you need to edit the configuration file. On Fedora and RHEL systems that file is located at /etc/selinux/config. You need to change the SELINUX option to permissive like so:
SELINUX=permissive
Note that these changes will not take effect until the system is rebooted, which is why the first section comes in handy on a system you either cannot or do not want to reboot right now.
Completely turning off SELinux
To completely disable SELinux instead of setting the configuration file to permissive mode you set it to disabled like:
SELINUX=disabled
You will need to reboot your system or temporarily set SELinux to non-enforcing mode to create the desired effect like the example above.
--------------------------------------------------------------------------------------------------------
Disabling SELinux
1) Configure SELINUX=disabled in the /etc/selinux/config file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
2)Reboot your system. After reboot, confirm that the getenforce command returns Disabled:
~]~ getenforce
Disabled
-------------------------------------------------------------------------------------------------------------
Viewing the Status of SELinux
The sestatus command provides a configurable view into the status of SELinux. The simplest form of this command shows the following information:
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
The -v option includes information about the security contexts of a series of files that are specified in /etc/sestatus.conf:
[root@localhost ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: user_u:system_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:s0-s0:c0.c1023
The -b displays the current state of booleans. You can use this in combination with grep or other tools to determine the status of particular booleans:
[root@host2a ~]# sestatus -b | grep httpd | grep on$
httpd_builtin_scripting on
httpd_disable_trans on
httpd_enable_cgi on
httpd_enable_homedirs on
httpd_unified on
--------------------------------------------------------------------------------------------------------------
Enable or Disable SELinux
From the command line, you can edit the /etc/sysconfig/selinux file. This file is a symlink to /etc/selinux/config. The configuration file is self-explanatory. Changing the value of SELINUX or SELINUXTYPE changes the state of SELinux and the name of the policy to be used the next time the system boots.
[root@host2a ~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
Changing the Mode of SELinux Using the GUI
Use the following procedure to change the mode of SELinux using the GUI.
Note
You need administrator privileges to perform this procedure.
On the System menu, point to Administration and then click Security Level and Firewall to display the Security Level Configuration dialog box.
Click the SELinux tab.
In the SELinux Setting select either Disabled, Enforcing or Permissive, and then click OK.
If you changed from Enabled to Disabled or vice versa, you need to restart the machine for the change to take effect.
Changes made using this dialog box are immediately reflected in /etc/sysconfig/selinux.
SELinux is a set of extra security restrictions on top of the normal Linux security tools. It gives the systems administrator a finer grain of control than what the kernel typically provides.
But SELINUX can sometimes get in your way. For example, I have had typical services, such as Apache, appear to start up correctly, but remain inaccessible from the outside world because I forgot to allow the apache user rights to open that port or maybe my distro forgot about it. Before you turn off SELinux make sure you know why you are turning it off and the security concerns you might be opening yourself up to.
Test if SELinux is running
You can test to see if SELinux is currently enabled with the following command:
selinuxenabled && echo enabled || echo disabled
Turning off SELinux temporarily
Disabling SELinux temporarily is the easiest way to determine if the problem you are experiencing is related to your SELinux settings. To turn it off, you will need to become the root users on your system and execute the following command:
echo 0 > /selinux/enforce
This temporarily turns off SELinux until it is either re-enabled or the system is rebooted. To turn it back on you simply execute this command:
echo 1 > /selinux/enforce
As you can see from these commands what you are doing is setting the file /selinux/enforce to either '1' or '0' to denote 'true' and 'false'.
Configuring SELinux to log warnings instead of block
You can also configure SELinux to give you a warning message instead of actually prohibiting the action. This known as permissive mode. To change SELinux's behavior to permissive mode you need to edit the configuration file. On Fedora and RHEL systems that file is located at /etc/selinux/config. You need to change the SELINUX option to permissive like so:
SELINUX=permissive
Note that these changes will not take effect until the system is rebooted, which is why the first section comes in handy on a system you either cannot or do not want to reboot right now.
Completely turning off SELinux
To completely disable SELinux instead of setting the configuration file to permissive mode you set it to disabled like:
SELINUX=disabled
You will need to reboot your system or temporarily set SELinux to non-enforcing mode to create the desired effect like the example above.
--------------------------------------------------------------------------------------------------------
Disabling SELinux
1) Configure SELINUX=disabled in the /etc/selinux/config file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
2)Reboot your system. After reboot, confirm that the getenforce command returns Disabled:
~]~ getenforce
Disabled
-------------------------------------------------------------------------------------------------------------
Viewing the Status of SELinux
The sestatus command provides a configurable view into the status of SELinux. The simplest form of this command shows the following information:
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
The -v option includes information about the security contexts of a series of files that are specified in /etc/sestatus.conf:
[root@localhost ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: user_u:system_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:s0-s0:c0.c1023
The -b displays the current state of booleans. You can use this in combination with grep or other tools to determine the status of particular booleans:
[root@host2a ~]# sestatus -b | grep httpd | grep on$
httpd_builtin_scripting on
httpd_disable_trans on
httpd_enable_cgi on
httpd_enable_homedirs on
httpd_unified on
--------------------------------------------------------------------------------------------------------------
Enable or Disable SELinux
From the command line, you can edit the /etc/sysconfig/selinux file. This file is a symlink to /etc/selinux/config. The configuration file is self-explanatory. Changing the value of SELINUX or SELINUXTYPE changes the state of SELinux and the name of the policy to be used the next time the system boots.
[root@host2a ~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
Changing the Mode of SELinux Using the GUI
Use the following procedure to change the mode of SELinux using the GUI.
Note
You need administrator privileges to perform this procedure.
On the System menu, point to Administration and then click Security Level and Firewall to display the Security Level Configuration dialog box.
Click the SELinux tab.
In the SELinux Setting select either Disabled, Enforcing or Permissive, and then click OK.
If you changed from Enabled to Disabled or vice versa, you need to restart the machine for the change to take effect.
Changes made using this dialog box are immediately reflected in /etc/sysconfig/selinux.
No comments:
Post a Comment