Tuncay Sahin

ICT Engineer | Docent ICT & Trainer

Enable / Disable SELinux (Security-Enhanced Linux) in Red Hat/CentOS

Published 11 september, 2015 | By Tuncay Sahin

This article will show how to disable SELinux as some software do not support this Linux kernel security module that provides the mechanism for supporting access control security policies.

Display current state of SELinux

# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing

 

Temporarily Disable/Enable SELinux

To disable SELinux temporarily (without rebooting the linux system) enter the following command with root user:

# setenforce 0

This will turn off the SELinux until you reboot the linux system.

To enable again

# setenforce 1

Permanently Disable/Enable SELinux

To Disable SELinux permanently in linux system modify the /etc/selinux/config file and change “SELinux=enforcing” to “SELinux=disable” as shown below.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted – Only targeted network daemons are protected.
# strict – Full SELinux protection.
SELINUXTYPE=targeted

Configure Booleans instead of disabling entire SELinux

Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing.

Listing Booleans

For a list of Booleans and whether they are on or off, run as root user.

#getsebool -a

In the following example, the httpd_can_sendmail is off:

# getsebool -a | grep sendmail
httpd_can_sendmail –> off

This prevents Apache from sending E-Mail.

Configuring Booleans

Run the setsebool utility in the setsebool boolean_name on/off form to enable or disable Booleans.

The following example demonstrates configuring the httpd_can_network_connect_db Boolean:
By default, the httpd_can_network_connect_db Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:

Verify the Boolean is disabled:

#getsebool httpd_can_network_connect_db
httpd_can_network_connect_db –> off

To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, run as the Linux root user:

#setsebool httpd_can_network_connect_db

Verify the Boolean is enabled:

#getsebool httpd_can_network_connect_db
httpd_can_network_connect_db –> on

This change is not persistent across reboots. To make changes persistent across reboots, run the setsebool -P boolean-name on command as the Linux root user:

#setsebool -P httpd_can_network_connect_db on

Posted in ICT Knowledgebase, Linux (RHEL / CentOS)

ICT Knowledgebase

Over mij

Meer informatie

Voor meer informatie of voor een persoonlijk adviesgesprek kunt u altijd vrijblijvend contact met mij opnemen.

E-Mail

info@tuncaysahin.nl