How to Disable SELinux

原文:http://www.crypt.gen.nz/selinux/disable_selinux.html
You've setup a new system, or installed something new on your Linux system and its not working. You get the feeling that SELinux is the cause of the problem. This page was written to help.

Contents

       Overview
       Should you really disable SELinux?
       Temporarily switch off enforcement
       Permanently Permissive
       Fully Disabling SELinux
       Re-Enabling SELinux

Overview

SELinux has two major components on your system. There's the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there's file labels :  every file on your system has extra labels attached to it which tie-in with those access rules. Run  ls -Z and you'll see what I mean.

Should you really disable SELinux?

Be aware that by disabling SELinux you will be removing a security mechanism on your system. Think about this carefully, and if your system is on the Internet and accessed by the public, then think about it some more. Joshua Brindle (an SELinux developer) has comments on disabling SELinux  here, which states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism. 
You need to decide if you want to disable SELinux temporarily to test the problem, or permanently switch it off. It may also be a better option to make changes to the policy to permit the operations that are being blocked - but this requires knowledge of writing policies and may be a steep learning curve for some people. For the operating system as a whole, there is two kinds of disabling:
  • Permissive - switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/changed is still active.
  • Disabled - SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with.
Disabling SELinux could lead to problems if you want to re-enable it again later. When the system runs with file labelling disable it will create files with no label - which could cause problems if the system is booted into Enforcement mode. A full re-labelling of the file system will be necessary.

Temporarily switch off enforcement

You can switch the system into permissive mode with the following command:
echo 0 >/selinux/enforce
You'll need to be logged in as root, and in the sysadm_r role:
newrole -r sysadm_r
To switch back into enforcing mode:
echo 1 >/selinux/enforce
In Fedora Core and RedHat Enterprise Linux you can use the  setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above.

To check what mode the system is in,

cat /selinux/enforce
which will print a "0" or "1" for permissive or enforcing - probably printed at the beginning of the line of the command prompt. 

Permanently Permissive

The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... just change  SELINUX=enforcing to  SELINUX=permissive, and you're done. Reboot if you want to prove it.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,


title SE-Linux Test System
	root (hd0,0)
	kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0
	#initrd /boot/initrd-2.4.20-selinux-2003040709.img

Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... and then reboot the system.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add selinux=0 at the end. For example,


title SE-Linux Test System
        root (hd0,0)
        kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0
        #initrd /boot/initrd-2.4.20-selinux-2003040709.img
You will have to reboot to disable SELinux, you just can't do it while the system is running. 

Re-Enabling SELinux

If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly.

What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot intopermissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.

After booting into permissive mode, runfixfiles relabel

Alternatively, in Fedora and RedHat Enterprise Linux you can runtouch /.autorelabeland reboot or putautorelabelon the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files.

After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again. 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值