The first thing to know about SELinux was that it was developed by the National Security Agency (NSA). Since those guys sometimes do questionable things when they say they’re enhancing your security it may be reasonable to not assume that SELinux will actually enhance your Linux’s security. In conceptual terms I’ve never found myself appreciating its contribution to any system I have used. In practical terms, SELinux has been for me like the situation with civil asset forfeiture by police now exceeding the money lost in burglaries.
Basically when some fancy network service that really, really should work does not, it is a strong indication to check if SELinux is active. 90% of the time, if it is, it is the problem. And when I say fancy network service, I mean any software thanks to sockets being used aggressively by sound and windowing systems and everything else.
Here is a small list of things I’ve had break because of SELinux.
Mail Transport Agents
License servers (and the clients)
The best resource for SELinux information is, not shockingly, Gentoo’s documentation. This resource even hints at why you might want SELinux in the first place. It seems that if you want all of your users, whom we assume we trust, to have full permissions to shoot themselves in the foot, then SELinux is not appropriate. If you have adversarial users (or expect a compromise that makes them so) then SELinux makes a tiny bit more sense. Still, take all of the access control overhead of normal Unix and square it.
Is It Enabled?
Other ways to check on it are to look at the exit code (
$?) of the
# if selinuxenabled ; then echo "It is enabled. Dang." ; fi It is enabled. Dang. # selinuxenabled # echo $? 0 # selinuxenabled && echo enabled || echo disabled enabled
sestatus command can be useful to get an idea of what’s going on.
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted
Also there’s the
In the distant past it seems that some distributions (Red Hat?) had the following terrible configuration that was supposed to allow one to disable SELinux.
# echo 0 > /selinux/enforce
If you cat this pseudo file it should show you the 0 or 1 you put in it.
# cat /selinux/enforce 0
But other than that, I can find no evidence that it did anything. Although, I’ve had this actually cure problems before, it doesn’t seem to work on newer installations. I’ll keep it as a note just for reference.
You might try this.
# setenforce 0 # getenforce Permissive
Unfortunately this doesn’t always completely cure your problem. I suspect that SELinux is alive and well, but just being more lax in some cases. To really properly eradicate it requires a reboot. This is incredibly annoying for Linux people as it is one of the only reasons a Linux machine must be rebooted (updating kernels has been the other and that’s getting cured with live kernel updating).
The way you configure SELinux to not be active on the next reboot is to edit this file.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=enforcing SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Note I changed
Note that "Permissive" mode is different from "Disabled" in that the logging of what would have been blocked still occurs. Permissive is supposed to be a way to troubleshoot SELinux by disabling it temporarily.
It is also possible to emphatically disable (or enable) SELinux from the kernel’s boot parameters (often found in the bootloader). For this to work you need "CONFIG_SELINUX_BOOTPARAM" enabled as a kernel compilation option (so beware that this may not work).
title My Permissive System root (hd0,0) kernel /kernel root=/dev/sda3 selinux=0 initrd /initramfs title My Nonfunctional System root (hd0,0) kernel /kernel root=/dev/sda3 selinux=1 initrd /initramfs
Remember if you think you need SELinux, it is much easier to just unplug your network cable.