The first thing to know about SELinux was that it was developed by the National Security Agency (NSA). Since those guys sometimes do questionable things when they say they’re enhancing your security it may be reasonable to not assume that SELinux will actually enhance your Linux’s security. In conceptual terms I’ve never found myself appreciating its contribution to any system I have used. In practical terms, SELinux has been for me like the situation with civil asset forfeiture by police now exceeding the money lost in burglaries.

Basically when some fancy network service that really, really should work does not, it is a strong indication to check if SELinux is active. 90% of the time, if it is, it is the problem. And when I say fancy network service, I mean any software thanks to sockets being used aggressively by sound and windowing systems and everything else.

Here is a small list of things I’ve had break because of SELinux.

  • Web servers

  • CGI programs

  • Mail Transport Agents

  • Procmail

  • License servers (and the clients)

  • Samba

The best resource for SELinux information is, not shockingly, Gentoo’s documentation. This resource even hints at why you might want SELinux in the first place. It seems that if you want all of your users, whom we assume we trust, to have full permissions to shoot themselves in the foot, then SELinux is not appropriate. If you have adversarial users (or expect a compromise that makes them so) then SELinux makes a tiny bit more sense. Still, take all of the access control overhead of normal Unix and square it.

Is It Enabled?

Other ways to check on it are to look at the exit code ($?) of the selinuxenabled command.

# if selinuxenabled ; then echo "It is enabled. Dang." ; fi
It is enabled. Dang.
# selinuxenabled
# echo $?
0
# selinuxenabled && echo enabled || echo disabled
enabled

The sestatus command can be useful to get an idea of what’s going on.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          disabled
Policy version:                 24
Policy from config file:        targeted

Also there’s the getenforce command.

/selinux

Note
Probably deprecated.

In the distant past it seems that some distributions (Red Hat?) had the following terrible configuration that was supposed to allow one to disable SELinux.

# echo 0 > /selinux/enforce

If you cat this pseudo file it should show you the 0 or 1 you put in it.

# cat /selinux/enforce
0

But other than that, I can find no evidence that it did anything. Although, I’ve had this actually cure problems before, it doesn’t seem to work on newer installations. I’ll keep it as a note just for reference.

Disabling

You might try this.

# setenforce 0
# getenforce
Permissive

Unfortunately this doesn’t always completely cure your problem. I suspect that SELinux is alive and well, but just being more lax in some cases. To really properly eradicate it requires a reboot. This is incredibly annoying for Linux people as it is one of the only reasons a Linux machine must be rebooted (updating kernels has been the other and that’s getting cured with live kernel updating).

The way you configure SELinux to not be active on the next reboot is to edit this file.

/etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
#SELINUX=enforcing
SELINUX=disabled

# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Note I changed enforcing to disabled.

Note that "Permissive" mode is different from "Disabled" in that the logging of what would have been blocked still occurs. Permissive is supposed to be a way to troubleshoot SELinux by disabling it temporarily.

Boot Parameter

It is also possible to emphatically disable (or enable) SELinux from the kernel’s boot parameters (often found in the bootloader). For this to work you need "CONFIG_SELINUX_BOOTPARAM" enabled as a kernel compilation option (so beware that this may not work).

title My Permissive System
root (hd0,0)
kernel /kernel root=/dev/sda3 selinux=0
initrd /initramfs

title My Nonfunctional System
root (hd0,0)
kernel /kernel root=/dev/sda3 selinux=1
initrd /initramfs

Remember if you think you need SELinux, it is much easier to just unplug your network cable.