SELinux – disable temporarily or permanently


To totally unlock this section you need to Log-in


Login

Security-enhanced Linux (SELinux) is an implementation of a mandatory access control mechanism. This mechanism is in the Linux kernel, checking for allowed operations after standard Linux discretionary access controls are checked.

To understand the benefit of mandatory access control (MAC) over traditional discretionary access control (DAC), you need to first understand the limitations of DAC.

Under DAC, ownership of a file object provides potentially crippling or risky control over the object. A user can expose a file or directory to a security or confidentiality breach with a misconfigured chmod command and an unexpected propagation of access rights. A process started by that user, such as a CGI script, can do anything it wants to the files owned by the user. A compromised Apache HTTP server can perform any operation on files in the Web group. Malicious or broken software can have root-level access to the entire system, either by running as a root process or using setuid or setgid.

Under DAC, there are really only two major categories of users, administrators and non-administrators. In order for services and programs to run with any level of elevated privilege, the choices are few and course grained, and typically resolve to just giving full administrator access. Solutions such as ACLs (access control lists) can provide some additional security for allowing non-administrators expanded privileges, but for the most part a root account has complete discretion over the file system.

A MAC or non-discretionary access control framework allows you to define permissions for how all processes (called subjects) interact with other parts of the system such as files, devices, sockets, ports, and other processes (called objects in SELinux). This is done through an administratively-defined security policy over all processes and objects. These processes and objects are controlled through the kernel, and security decisions are made on all available information rather than just user identity. With this model, a process can be granted just the permissions it needs to be functional. This follows the principle of least privilege.

Under MAC, for example, users who have exposed their data using chmod are protected by the fact that their data is a kind only associated with user home directories, and confined processes cannot touch those files without permission and purpose written into the policy.

On some of the Linux distribution SELinux is enabled by default, which may cause some unwanted issues, if you don’t understand how SELinux works and the fundamental details on how to configure it. We strongly recommend that you understand SELinux and implement it on your environment. But, until you understand the implementation details of SELinux you may want to disable it to avoid some unnecessary issues.

When working on a Linux system, you are undoubtedly aware that there are processes running all around. Processes (sometimes also referred to as tasks) are generally speaking applications that are running.

For instance, on a booted Linux system, you might find processes such as sshd (the OpenSSH daemon, used to provide secure remote shells towards the system), crond (the Cron daemon, used to run certain commands at predefined time(intervals)) or udevd (the device handling daemon, which receives kernel events and acts on those towards the system), but also user processes like bash (a user shell), xinit (the graphical X server session application) or even ps (the command to show running processes).

Disable SELinux (temporarily or permanently)

To disable SELinux you can use any one of the 4 different methods mentioned in this article.

The SELinux will enforce security policies including the mandatory access controls defined by the US Department of Defence using the Linux Security Module (LSM) defined in the Linux kernel.

Every files and process in the system will be tagged with specific labels that will be used by the SELinux. You can use ls -Z and view those labels as shown below.

# ls -Z /etc/
-rw-r--r--  root root  system_u:object_r:etc_t:s0 a2ps.cfg
-rw-r--r--  root root  system_u:object_r:adjtime_t:s0 adjtime
-rw-r--r--  root root  system_u:object_r:etc_aliases_t:s0 aliases
drwxr-x---  root root  system_u:object_r:auditd_etc_t:s0 audit
drwxr-xr-x  root root  system_u:object_r:etc_runtime_t:s0 blkid
drwxr-xr-x  root root  system_u:object_r:bluetooth_conf_t:s0 bluetooth
drwx------  root root  system_u:object_r:system_cron_spool_t:s0 cron.d
-rw-rw-r--  root disk  system_u:object_r:amanda_dumpdates_t:s0 dumpdates

Disable SELinux Temporarily

To disable SELinux temporarily you have to modify the /selinux/enforce file as shown below. Please note that this setting will be gone after the reboot of the system.

# cat /selinux/enforce
1

# echo 0 > /selinux/enforce
# cat /selinux/enforce 0

You can also use setenforce command as shown below to disable SELinux. Possible parameters to setenforce commands are: Enforcing , Permissive, 1 (enable) or 0 (disable).

# setenforce 0

Disable SELinux Permanently

To disable the SELinux permanently, modify the /etc/selinux/config and set the SELINUX=disabled as shown below. One you make any changes to the /etc/selinux/config, reboot the server for the changes to be considered.

# cat /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
SETLOCALDEFS=0

Following are the possible values for the SELINUX variable in the /etc/selinux/config file.

  • enforcing – The Security Policy is always Encoforced.
  • permissive – This just simulates the enforcing policy by only printing warning messages and not really enforcing the SELinux. This is good to first see how SELinux works and later figure out what policies should be enforced.
  • disabled – Completely disable SELinux.

Following are the possible values for SELINUXTYPE variable in the /etc/selinux/config file. This indicates the type of policies that can be used for the SELinux.

  • targeted - This policy will protected only specific targeted network daemons.
  • strict - This is for maximum SELinux protection.

Disable SELinux from the Grub Boot Loader

If you can’t locate /etc/selinux/config file on your system, you can pass disable SELinux by passing it as parameter to the Grub Boot Loader as shown below.

# cat /boot/grub/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title Enterprise Linux Enterprise Linux Server (2.6.18-92.el5PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.el5PAE ro root=LABEL=/ rhgb quiet selinux=0
initrd /boot/initrd-2.6.18-92.el5PAE.img
title Enterprise Linux Enterprise Linux Server (2.6.18-92.el5)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.el5 ro root=LABEL=/ rhgb quiet selinux=0
initrd /boot/initrd-2.6.18-92.el5.img

Disable Only a Specific Service in SELinux – HTTP/Apache

If you are not interested in disability the whole SELinux, you can also disable SELinux only for a specific service.

For example, do disable SELinux for HTTP/Apache service, modify the httpd_disable_trans variable in the /etc/selinux/targeted/booleans file.

Set the httpd_disable_trans variable to 1 as shown below.

# grep httpd /etc/selinux/targeted/booleans
httpd_builtin_scripting=1
httpd_disable_trans=1
httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
httpd_tty_comm=0
httpd_unified=1

Set SELinux boolean value using setsebool command as shown below. Make sure to restart the HTTP service after this change.

# setsebool httpd_disable_trans 1
# service httpd restart