Thursday, April 8, 2010

Switching SELinux ON/OFF

What is SELinux?

From the FAQ

SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication.

With SELinux an administrator can differentiate a user from the applications a user runs. For example, the user shell or GUI may have access to do anything he wants with his home directory but if he runs a mail client the client may not be able to access different parts of the home directory, such as his ssh keys.

The way that an administrator sets these permissions is with the centralized SELinux policy. The policy tells the system how different components on the system can interact and use resources. The policy typically comes from your distribution but it can be updated on the end system to reflect different configurations or application behavior.

That just sounds fantastique! But if you don't really understand  it, it may me a bit hard to manage. In that case, you can always enable and disable SELinux on your RHEL system with the following commands below.

Verify the state of SELinux on the RHEL system

[root@base ~]# getenforce 
[root@base ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

The output above shows us that SELinux is enabled and the current mode is "enforcing" on the RHEL system. If the administrator is not familiar with SELinux, this may pose some issues on certain applications or services and may not start. So we may need to disable SELinux "temporarily" for now.

We may first try to make SELinux mode as "permissive" and retry any failing applications or services.

[root@base ~]# echo 0 >/selinux/enforce

[root@base ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

NOTE: The effect of the command above will not persist upon reboot, so if that already fixes some application/services issues, we can now edit the SELinux configuration file so this setting will persist after a reboot.

[root@base ~]# vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX= permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.

Once the SELINUX= permissive parameter is set, we can now reboot the server. Or just leave the system alone until its next necessary reboot that this new setting will be applied automatically.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,

title SE-Linux Test System
        root (hd0,0)
        kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0
        #initrd /boot/initrd-2.4.20-selinux-2003040709.img

No comments:

Post a Comment