[转]How to disable SELinux

原创 2008年08月03日 18:37:00
 参考两个文章:

http://www.haw-haw.org/node/30:这个文章主要是说怎样disable掉SELinux
http://www.crypt.gen.nz/selinux/disable_selinux.html:这个文章比较细的说明了相关问题。
我把两个都copy到这里来

文章一:

selinux是个新东东

在linux kernel 2.6的系统(如as4、fc3)里常见

一般如果在2.6的kernel的机器上出什么莫名其妙的权限的错误

大家都可以想想是不是selinux的策略问题

以我现在的想法

最好是已开始就把selinux disable掉!

方法是编辑文件/etc/sysconfig/selinux

把SELINUX设为disabled

像这样:

SELINUX=disabled

在重起机器selinux就被忽略了


命令setenforce 0可以直接干掉selinux 直接生效
不用重启机器



文章二:

You've setup a new system, or installed something new on your Linux system and its not working. You get the feeling that SELinux is the cause of the problem. This page was written to help.

Contents

      Overview
      Should you really disable SELinux?
      Temporarily switch off enforcement
      Permanently Permissive
      Fully Disabling SELinux
      Re-Enabling SELinux

Overview

SELinux has two major components on your system. There's the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there's file labels : every file on your system has extra labels attached to it which tie-in with those access rules. Run ls -Z and you'll see what I mean.

Should you really disable SELinux?

Be aware that by disabling SELinux you will be removing a security mechanism on your system. Think about this carefully, and if your system is on the Internet and accessed by the public, then think about it some more. Joshua Brindle (an SELinux developer) has comments on disabling SELinux here, which states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism.
You need to decide if you want to disable SELinux temporarily to test the problem, or permanently switch it off. It may also be a better option to make changes to the policy to permit the operations that are being blocked - but this requires knowledge of writing policies and may be a steep learning curve for some people. For the operating system as a whole, there is two kinds of disabling:
  • Permissive - switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/changed is still active.
  • Disabled - SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with.
Disabling SELinux could lead to problems if you want to re-enable it again later. When the system runs with file labelling disable it will create files with no label - which could cause problems if the system is booted into Enforcement mode. A full re-labelling of the file system will be necessary.

Temporarily switch off enforcement

You can switch the system into permissive mode with the following command:


You'll need to be logged in as root, and in the sysadm_r role:

  


To switch back into enforcing mode:

  


In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to
set permissive or enforcing mode, its just a slightly easier command
than the above.

To check what mode the system is in,



which will print a "0" or "1" for permissive or enforcing - probably
printed at the beginning of the line of the command prompt.


Permanently Permissive

The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:



... just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,





Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:



... and then reboot the system.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add selinux=0 at the end. For example,



You will have to reboot to disable SELinux, you just can't do it while the system is running.


Re-Enabling SELinux

If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly.

What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot into permissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.

After booting into permissive mode, run fixfiles relabel

Alternatively, in Fedora and RedHat Enterprise Linux you can run touch /.autorelabel and reboot or put autorelabel on the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files.

After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again.

LINUX中错误 SELinux is disabled

解决: setenforce: SELinux is disabled那么说明selinux已经被彻底的关闭了如果需要重新开启selinux,请按下面步骤:vi /etc/selinux/confi...
  • qq_28423997
  • qq_28423997
  • 2017-04-14 23:49:22
  • 10002

Android SELinux Enforing 和 Permissive 模式切换

1、Running mode adb shell setenforce 1       // Enforing adb shell setenforce 0       // Permissive  ...
  • ydbcsdn
  • ydbcsdn
  • 2016-04-07 14:56:36
  • 7706

android6.0/7.0禁掉Selinux

注意:android 6.0的selinux_is_disabled()最终在selinux_reload_policy(void)函数里调用,让selinux_is_disabled()返回true...
  • u010164190
  • u010164190
  • 2017-11-28 21:22:17
  • 2440

android SElinux 总结--启用,关闭以及配置文件说明,很详细,值得学习

转自 http://blog.csdn.net/bin_linux96/article/details/44993819  1. 禁止selinux  1.1 在内核中关闭selinux编译选项C...
  • lqxandroid2012
  • lqxandroid2012
  • 2017-08-21 09:59:54
  • 2489

如何设置确认selinux 模式

[Description] linux SELinux 分成Enforce 以及 Permissive 两种模式,如何进行设置与确认当前SELinux模式?   [Keyword] android, ...
  • lei1217
  • lei1217
  • 2015-09-11 19:52:19
  • 2927

[LINUX] selinux(androidboot.selinux) 的不同模式

SELinux 宽容模式(permissive) 强制模式(enforcing) 关闭(disabled)  几种模式之间的转换   转载▼ SELinux 的启动、关闭与查看 1、并非...
  • Ai_Knight
  • Ai_Knight
  • 2016-06-24 10:54:18
  • 1934

误将SELINUXTYPE看成SELINUX后,将其值改为disabled。导致操作系统服务启动,无法进入单用户模式

环境:Redhat 6.4       ORACLE11g RAC 在安装ORACLE11g之前需要关闭操作系统的防火墙和SELinux。 1、关闭防火墙:iptables -F——...
  • siyanyanyanyai
  • siyanyanyanyai
  • 2015-04-27 09:53:58
  • 3414

Android Selinux How-to

Android Selinux How-to
  • zoosenpin
  • zoosenpin
  • 2017-06-22 12:34:36
  • 805

[转]How to disable SELinux

 参考两个文章:http://www.haw-haw.org/node/30:这个文章主要是说怎样disable掉SELinuxhttp://www.crypt.gen.nz/selinux/disa...
  • Braveo
  • Braveo
  • 2008-08-03 18:37:00
  • 7702

SELinux深入理解

1. 简介     SELinux由以下两部分组成:     1) Kernel SELinux模块(/kernel/security/selinux)     2) 用户态工具 1.1 DAC与MA...
  • MyArrow
  • MyArrow
  • 2013-08-09 15:33:17
  • 80606
收藏助手
不良信息举报
您举报文章:[转]How to disable SELinux
举报原因:
原因补充:

(最多只允许输入30个字)