Sunday, 21 September 2014

How to Disable SELinux Temporarily or Permanently

By default, SELinux is enabled on some of Linux distibution, due to this we face some issues which we don’t want to see any more. It is recommended to know about SELinux, its configuration and how to implement on your environment. However, you have to disable SELinux temporarily or permanently until you understand about it.
Here, we will use different ways to disable SELinux.
In linux, files and process tag with specific labels that is used by the SELinux. Command ls -Z view those labels as follows.
[root@amir ~]# ls -Z /etc/
-rw-r–r–. root root system_u:object_r:etc_t:s0           file
drwxr-xr-x. root root system_u:object_r:etc_t:s0        file
drwxr-xr-x. root root system_u:object_r:etc_t:s0        file
drwxr-xr-x. root root system_u:object_r:system          file
drwxr-xr-x. root root system_u:object_r:bin_t:s0       file
-rw-r–r–. root root system_u:object_r:etc_t:s0           file
drwxr-xr-x. root root system_u:object_r:bin_t:s0       file

Disable SELinux Temporarily
You have to modify the /selinux/enforce file to disable SELinux temprarily. After reboot the machine, temporary made settings will be refreshed.
[root@amir ~]# cat /selinux/enforce
1
[root@amir ~]# echo 0 > /selinux/enforce
[root@amir ~]# cat /selinux/enforce
0
setenforce command is also used to disable SELinux. Setenforce commands are: Enforcing , Permissive, 1 (enable) or 0 (disable).
[root@amir ~]# setenforce 0
setenforce: SELinux is disabled

Disable SELinux Permanently
we will modify the /etc/selinux/config and change to SELINUX=disabled to disable SELinux permanently. After reboot the machine, settings will remain effective and permanent.
[root@amir ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing – SELinux security policy is enforced.
#     permissive – SELinux prints warnings instead of enforcing.
#     disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted – Targeted processes are protected,
#     mls – Multi Level Security protection.
SELINUXTYPE=targeted
SETLOCALDEFS=0

Disable SELinux from the Grub Bootloader
If you are unable to find out the location of /etc/selinux/config file, you can disable SELinux to change parameter to the Grub Bootloader in the following steps.
[root@amir ~]# vim /boot/grub/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-358.18.1.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-358.18.1.el6.i686 ro root=LABEL=/ rhgb quiet selinux=0
initrd /initramfs-2.6.32-358.18.1.el6.i686.img
title centos (2.6.32-71.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-71.el6.i686 ro root=/ rhgb quiet selinux=0
initrd /initramfs-2.6.32-71.el6.i686.img

Disable Only a Specific Service in SELinux – HTTP/Apache
If you don’t want to disable the whole SELinux, it is possible with the HTTP/Apache service, you can change the httpd_disable_trans variable in the /etc/selinux/targeted/booleans file.
Change into 1 the httpd_disable_trans variable.
[root@amir ~]# grep httpd /etc/selinux/targeted/booleans
httpd_builtin_scripting=1
httpd_disable_trans=1
httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
httpd_tty_comm=0
httpd_unified=1
We can set the value using setsebool command. After that restart the HTTP service to take effect.
[root@amir ~]# setsebool httpd_disable_trans 1
[root@amir ~]# service httpd restart


No comments:

Post a Comment