Sometimes when I want to test something or write a prototype of some sort SELinux (Security-Enhanced Linux) kicks in and hinders me, given that it is enabled by default on OL 7 UEK 4. STOP! Before I let you continue to read take a mental note of my disclaimer: I am an advocate of having security turned on by default. It helps us provide better and obviously more secure systems which, in turn, helps the world save time and money. Security should never, ever be turned off for production systems!
With this being said, here are a couple of quick steps for how to get around it.
tl;dr
setenforce 0vim /etc/sysconfig/selinuxSELINUX=permissive
Here is also a short video on this topic:
Current SELinux status
Linux provides a simple command sestatus - SELinux status tool that tells you, as the name suggests, the status of SELinux:
[root@localhost oracle]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
In my case it is, as per default, enabled. There are three modes for SELinux: enabled, disabled and permissive. I think that enabled and disabled are self explanatory, permissive is slightly different. Permissive is the setting to print warnings instead of enforcing SELinux. This is useful, for example, if you want to test something and see whether SELinux would or wouldn’t allow it. In my case, as this is a test machine, I shouldn’t really care much about whether I set it to disabled or permissive. However, given that security is a good thing and a must for production environments, I can’t see why I would ever set SELinux to disabled if I can have warnings instead and build my software to work with SELinux correctly. So I’m opting for the permissive status instead. Linux has another command that allows you to switch between enabled and permissive in the current running environment. That command is setenforce - modify the mode SELinux is running in. It takes just one parameter and only four values:
Enforcingor1Permissiveor0
So, all I have to do is:
[root@localhost oracle]# setenforce Permissive [root@localhost oracle]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
That does the trick to set my current environment to permissive: Current mode: permissive. However, that is not a permanent setting. Note line 9 in the output above: Mode from config file: enforcing. That is the setting that the machine will pick up upon reboot. So there is one more task to perform.
Make SELinux status permanent
In order to make the SELinux mode permanent I have to do one more thing: Change the config file. This change is also easy, all you have to do is to open the config file /etc/sysconfig/selinux, set SELINUX=permissive and you are all set:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@localhost oracle]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
Very useful. Thanks.