When you install Linux in your system, SELINUX is by
default enabled in system. SELINUX is the very useful security feature in
Linux. But if you are not aware the usage of SELINUX in Linux then I will
advice to disable it in Linux.
The SELinux will enforce security policies including the mandatory
access controls defined by the US Department of Defense using the Linux
Security Module (LSM) defined in the Linux Kernel. Every files and process in
the system will be tagged with specific labels that will be used by the
SELinux. You can use ls -Z and view
those labels as shown below.
[root@paragtesting ~]# ls –Z /etc
drwxr-xr-x root
root
system_u:object_r:etc_t:s0
acpi
-rw-r--r-- root
root system_u:object_r:adjtime_t:s0 adjtime
drwxr-xr-x root
root
system_u:object_r:etc_t:s0
alchemist
-rw-r--r-- root
root
system_u:object_r:etc_aliases_t:s0 aliases
-rw-r----- root
smmsp
system_u:object_r:etc_aliases_t:s0 aliases.db
drwxr-xr-x root
root
system_u:object_r:etc_t:s0
alsa
drwxr-xr-x root
root
system_u:object_r:etc_t:s0
alternatives
To disable SELinux in Linux you can use 4 Methods.
1. Disable SELinux Temporarily
To disable SELinux temporarily you have to
modify the /selinux/enforce file as shown below. Please note that this setting
will be gone after the reboot of the system.
# cat /selinux/enforce
1
# echo 0 > /selinux/enforce
# cat /selinux/enforce
0
In
Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, it is
just a slightly easier command than the above.
# setenforce 0
Method 2: Disable SELinux Permanently
The above will switch off enforcement
temporarily - until you reboot the system. If you want the system to always
start in permissive mode, then here is how you do it.
In Fedora Core and Red Hat Enterprise, edit /etc/sysconfig/selinux and
you will see some lines like this:
# This file controls
the state of SELinux on the system.
# SELINUX= can take
one of these three values:
# enforcing - SELinux security policy is
enforced.
# permissive - SELinux prints warnings
instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of
policy in use. Possible values are:
# targeted - Only targeted network daemons
are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... just change SELINUX=enforcing to SELINUX=permissive, and you're done.
Reboot if you want to prove it.
Following are the possible values for the SELINUX variable
in the /etc/sysconfig/selinux file
§ enforcing – The
Security Policy is always Encoforced
§ permissive - This just
simulates the enforcing policy by only printing warning messages and not really
enforcing the SELinux. This is good to first see how SELinux works and later
figure out what policies should be enforced.
§ disabled - Completely
disable SELinux
Following are the possible values for SELINUXTYPE variable in the /etc/sysconfig/selinux file. This indicates the type of policies that can be used for the SELinux.
§ targeted - This policy
will protected only specific targeted network daemons.
§ strict - This is for
maximum SELinux protection.
Method 3: Disable SELinux from the Grub Boot
Loader
If you can’t
locate /etc/sysconfig/selinux file on your system, you can pass disable
SELinux by passing it as parameter to the Grub Boot Loader as shown below.
[root@paragtesting
selinux]# cat /boot/grub/grub.conf
# grub.conf generated
by anaconda
#
# Note that you do not
have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are
relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro
root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise
Linux Server (2.6.18-308.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-308.el5 ro
root=/dev/VolGroup00/LogVol00 rhgb quiet selinux=0
initrd /initrd-2.6.18-308.el5.img
You can check
status of Enforcing mode by using command
getenforce.
[root@paragtesting modules]#
getenforce
Disabled
No comments:
Post a Comment