How to Disable SELinux

最新推荐文章于 2024-05-06 21:20:59 发布
最新推荐文章于 2024-05-06 21:20:59 发布
阅读量1.5k 收藏
点赞数
分类专栏: Linux 文章标签: system warnings redhat command file security

How to Disable SELinux

You've setup a new system, or installed something new on your Linuxsystem and its not working. You get the feeling that SELinux is thecause of the problem. This page was written to help.

Contents

       Overview
       Should you really disable SELinux?
       Temporarily switch off enforcement
       Permanently Permissive
       Fully Disabling SELinux
       Re-Enabling SELinux

Overview

SELinux has two major components on your system. There's the kernelmechanism which is enforcing a bunch of access rules which apply toprocesses and files. And secondly, there's file labels : everyfile on your system has extra labels attached to it which tie-in withthose access rules. Run ls -Z and you'll see what I mean.

Should you really disable SELinux?

Be aware that by disabling SELinux you will be removing a securitymechanism on your system. Think about this carefully, and if yoursystem is on the Internet and accessed by the public, then think aboutit some more. Joshua Brindle (an SELinux developer) has comments ondisabling SELinux here,which states clearly that applications should be fixed to work withSELinux, rather than disabling the OS security mechanism.
You need to decide if you want to disable SELinux temporarily totest the problem, or permanently switch it off. It may also be abetter option to make changes to the policy to permit the operationsthat are being blocked - but this requires knowledge of writingpolicies and may be a steep learning curve for some people.For the operating system as a whole, there is two kinds of disabling:
  • Permissive - switch the SELinux kernel into a mode whereevery operation is allowed. Operations that would be denied areallowed and a message is logged identifying that it would bedenied. The mechanism that defines labels for files which are beingcreated/changed is still active.
  • Disabled - SELinux is completely switched off in the kernel. Thisallows all operations to be permitted, and also disables the processwhich decides what to label files & processes with.
Disabling SELinux could lead to problems if you want to re-enable itagain later. When the system runs with file labelling disable it willcreate files with no label - which could cause problems if the systemis booted into Enforcement mode. A full re-labelling of the filesystem will be necessary.

Temporarily switch off enforcement

You can switch the system into permissive mode with the following command: 
echo 0 >/selinux/enforce
You'll need to be logged in as root, and in the sysadm_r role: 
newrole -r sysadm_r
To switch back into enforcing mode: 
echo 1 >/selinux/enforce
In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option toset permissive or enforcing mode, its just a slightly easier commandthan the above.

To check what mode the system is in, 

cat /selinux/enforce
which will print a "0" or "1" for permissive or enforcing - probablyprinted at the beginning of the line of the command prompt.

Permanently Permissive

The above will switch off enforcement temporarily - until you rebootthe system. If you want the system to always start in permissive mode,then here is how you do it.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,

title SE-Linux Test System
	root (hd0,0)
	kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0
	#initrd /boot/initrd-2.4.20-selinux-2003040709.img

Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching intopermissive mode. Disabling will completely disable all SELinuxfunctions including file and process labelling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... and then reboot the system.

For the other Linuxes which don't have the /etc/selinux/config file, you just need toedit the kernel boot line, usually in /boot/grub/grub.conf, if you're using theGRUB boot loader. On the kernel line, add selinux=0 at the end. For example,

title SE-Linux Test System
        root (hd0,0)
        kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0
        #initrd /boot/initrd-2.4.20-selinux-2003040709.img
You will have to reboot to disable SELinux, you just can't do it while the system is running.

Re-Enabling SELinux

If you've disabled SELinux as in the section above, and you want toenable it again then you've got a bit of work to do. The problem willbe that files created or changed when SELinux was disabled won't havethe correct file labels on them - if you just reboot in enforcing mode thena lot of stuff won't work properly.

What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot into permissive mode, thenrelabel everything, and then reboot into (or simply switch to)enforcing mode.

After booting into permissive mode, runfixfiles relabel

Alternatively, in Fedora and RedHat Enterprise Linux you can runtouch /.autorelabeland reboot or put autorelabelon the boot command line - in both cases the file system gets a fullrelabel early in the boot process. Note that this can take quite sometime for systems with a large number of files.

After relabelling the filesystem, you can switch to enforcingmode (see above) and your system should be fully enforcing again.
shenyan008
关注
专栏目录
【我的Android进阶之旅】解决SDK升级到27.0.3遇到的GLIBC_2.14 not found、no acceptable C compiler found in $PATH等问题
字节卷动
04-17 6848
一、问题一:Failed to find Build Tools revision 27.0.3 1.1、问题描述 最近公司的Android项目都要进行SDK升级,目前在本地编译的时候将SDK升级到了27.0.3,本地运行正常,然后在jenkins服务器上跑的时候就会出现异常。异常如下所示: [Gradle] - Launching build. [AP_Develop] $ /o...
selinux_permissive:将SELinux切换到许可模式的Magisk模块
05-07
SELinux允许的 该模块在引导过程中将SELinux切换到许可模式。 此模块有意降低手机的安全性设置。 请不要使用它,如果您不知道自己在做什么。 如果您的内核始终使用强制编译配置编译该模块,则该模块将无法工作,例如,现有的三星内核。 如何安装: 稳定发布: 从发布页面最新的selinux_permissive.zip MagiskManager->模块+ Downloads / selinux_permissive.zip->重新启动 主分支: git clone cd selinux_permissive 进行安装 支持
How to disable SELinux
weixin_30808253的博客
10-09 152
参考两个文章: http://www.haw-haw.org/node/30:这个文章主要是说怎样disableSELinux http://www.crypt.gen.nz/selinux/disable_selinux.html:这个文章比较细的说明了相关问题。 我把两个都copy到这里来 文章一: selinux是个新东东 在linux kernel 2.6的系统(如as4...
How to Disable SELinux Temporarily or Permanently
weixin_42603784的博客
11-04 159
RedHat linux操作系统中默认开启了防火墙,SELinux也处于启动状态,一般状态为enforing.致使很多服务端口默认是关闭的,所以好多服务明明配置文件正确,等验证时有时连ping也ping不通,我发现这个是因为我在centos7中使用privoxy工具流量转发将socks的代理转为http协议的,配置文件跟我之前在ubuntu上的一模一样,但是privoxy服务却始终起不起来,我的防火墙是关闭状态的,查看privoxy日志就如下图所示 非常的奇怪,报了个没有权限,我在root用户下怎么会没有
[转]How to disable SELinux
Braveo的专栏
08-03 9184
 参考两个文章:http://www.haw-haw.org/node/30:这个文章主要是说怎样disableSELinuxhttp://www.crypt.gen.nz/selinux/disable_selinux.html:这个文章比较细的说明了相关问题。我把两个都copy到这里来文章一:selinux是个新东东在linux kernel 2.6的系统(如as4、fc3)里常见一
CentOS7关闭防火墙和selinux
janvinal的专栏
01-06 1万+
直接上命令 在root用户下 systemctl stop firewalld systemctl disable firewalld systemctl status firewalld vi /etc/selinux/config 把SELINUX=enforcing 改成 SELINUX=disabled 重启电脑就可以了
【安全利器SELinux快速入门系列 01】SELinux基础入门_selinux书(1)
2401_84185951的博客
05-06 978
进程的主体是进程,客体是被访问的资源。MAC机制的特点在于,资源的拥有者,并不能决定谁可以接入到资源。具体决定是否可以接入到资源,是基于安全策略。而安全策略则是有一系列的接入规则组成,并仅有特定权限的用户有权限操作安全策略。4MAC强制访问控制的流程大致是上图所示,分为3个步骤主体程序必须要通过 SELinux 政策内的规则放行后,就可以与目标资源进行安全性本文的比对;若比对失败则无法存取目标,若比对成功则可以开始存取目标。最终能否存取目标还是与文件系统的 rwx 权限设置有关。
How to Getting Started with ConnectX-5 100Gbs Adapters for Linux
loulanhouzhu的博客
04-04 4141
This post provides basicsteps on how to configure and set up basic parameters for the MellanoxConnectX-5 100Gb/s adapter. This post is basic and ismeant for beginners. The procedure is very similar t...
台式机CentOS7安装&GitLab11.10.4搭建(5)GitLab11.10.4汉化
iwanghang(一个播音与主持艺术专业、干过网游打金工作室,做过海鲜小吃排挡的新手程序员)
05-17 4235
##查看GitLab版本号 at /opt/gitlab/embedded/service/gitlab-rails/VERSION (我的版本是11.10.4-ee) ##获取汉化版本库 git clone https://gitlab.com/xhang/gitlab.git ##停止gitlab服务 gitlab-ctl stop #cd到gitlab文件夹 cd gitlab (找到...
交叉编译openGL,Ubuntu20.04 to aarch64 (三)
qq_33856381的博客
03-02 673
linux交叉编译openGL
禁用selinux_如何临时或永久禁用或启用SELinux
cunjiu9486的博客
10-12 3439
禁用selinuxI have a fedora desktop. I want to run some services but I get an error about SELinux. How can I disable SELinux? Selinux is a security mechanism used generally Linux systems. It has support ...
4 Effective Methods to Disable SELinux Temporarily or Permanently
加俊
02-23 96
http://www.thegeekstuff.com/2009/06/how-to-disable-selinux-redhat-fedora-debian-unix/   On some of the Linux distribution SELinux is enabled by default, which may cause some unwanted issues, if yo...
Disable SELinux
allway2的博客
08-04 989
To check if SELinux is running/enforcing, run the following command: sestatus To disable SELinux, edit the file /etc/selinux/config, and change SELINUX=enforcing to SELINUX=disabled The following command will disable SELinux: sed -i 's/SELINUX\=enforci
解决openssh,openssl升级出现的坑
热门推荐
工具人的博客
06-15 6万+
openssh漏洞,openssl升级最新版
基于Java语言的Git版本控制设计源码学习指南
09-25
该项目是针对Git版本控制的Java语言设计源码,包含88个文件,其中74个为XML配置文件,3个为Markdown文档,3个为Java源代码文件,2个为Git忽略文件,2个为属性文件,1个为授权文件,以及1个IntelliJ IDEA项目文件和1个Maven构建文件。此项目旨在帮助开发者深入理解Git在Java项目中的应用与实践。
基于国产自研的简洁易扩展warm-flow工作流设计源码
09-25
本项目为国产自研的warm-flow工作流设计源码,采用简洁的架构设计,仅需6张基础表,却能实现全面的功能。代码结构清晰,组件独立且易于扩展,非常适合中小型项目使用。源码包含215个文件,涵盖158个Java源文件、32个XML配置文件、7个SQL文件等,旨在为用户提供高效、灵活的工作流解决方案。
利用 TensorFlow 训练自己的目标识别器。(毕设&课设&实训&大作业&竞赛&项目)
最新发布
09-25
利用 TensorFlow 训练自己的目标识别器。本文内容来自于我的毕业设计,基于 TensorFlow 1.15.0,其他 TensorFlow 版本运行可能存在问题。.zip项目工程资源经过严格测试可直接运行成功且功能正常的情况才上传,可轻松复刻,拿到资料包后可轻松复现出一样的项目,本人系统开发经验充足(全领域),有任何使用问题欢迎随时与我联系,我会及时为您解惑,提供帮助。 【资源内容】:包含完整源码+工程文件+说明(如有)等。答辩评审平均分达到96分,放心下载使用!可轻松复现,设计报告也可借鉴此项目,该资源内项目代码都经过测试运行成功,功能ok的情况下才上传的。 【提供帮助】:有任何使用问题欢迎随时与我联系,我会及时解答解惑,提供帮助 【附带帮助】:若还需要相关开发工具、学习资料等,我会提供帮助,提供资料,鼓励学习进步 【项目价值】:可用在相关项目设计中,皆可应用在项目、毕业设计、课程设计、期末/期中/大作业、工程实训、大创等学科竞赛比赛、初期项目立项、学习/练手等方面,可借鉴此优质项目实现复刻,设计报告也可借鉴此项目,也可基于此项目来扩展开发出更多功能 下载后请首先打开README文件(如有),项目工程可直接复现复刻,如果基础还行,也可在此程序基础上进行修改,以实现其它功能。供开源学习/技术交流/学习参考,勿用于商业用途。质量优质,放心下载使用。
基于PHP的雷劈网二维码生成器设计源码
09-25
该项目是一款基于PHP的雷劈网二维码生成器开源源码,总文件量达434个,涵盖340个PHP文件、14个HTML文件、12个CSS文件、9个JavaScript文件,以及其他C, C语言相关文件。软件由驰骋公司收购并维护,继续秉持开源精神。项目文档包括JPG、TTF、TPL、YAML、MD、PNG等多种格式,旨在提供便捷的二维码生成解决方案。支持项目持续发展,欢迎右上角star支持。
How to disable "Allow sites to run Flash"
05-11
If you're using Google Chrome, you can follow these steps to disable "Allow sites to run Flash": 1. Open Google Chrome and click the three dots icon in the top-right corner of the window. 2. Select ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值