You are hereSwitch SELinux "Enforcing" mode to "Permissive" mode

Switch SELinux "Enforcing" mode to "Permissive" mode


By surachart - Posted on 27 August 2009

Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel using the Linux Security Modules (LSM). It is a project of the United States National Security Agency (NSA) and the SELinux community. SELinux integration into Red Hat Enterprise Linux was a joint effort between the NSA and Red Hat.

And???
On EL5/RHEL5+ 11g, Someone might find some error. example:

error while loading shared libraries: $ORACLE_HOME/lib/libnnz11.so: cannot restore segment prot after reloc: Permission denied

That's a bug(FAILS TO LOAD LIBNNZ11.SO WITH SELINUX ENABLED ON EL5/RHEL5)... we need to change SELinux mode. How?
If we need to change "Enforcing" mode to the "Permissive" mode, we can use "setenforce" command.
# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
setenforce 1 — SELinux runs in enforcing mode.
setenforce 0 — SELinux runs in permissive mode.

Example:
# getenforce
Enforcing
# setenforce 0
# getenforce
Permissive
# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
.
.
A "setenforce" command,that change mode immediate, and effect until the next reboot.
If we need to use "Permissive" mode at the next reboot, we have to modify /etc/selinux/config file as well.
SELINUX=permissive
SELINUX=enforcing|permissive|disabled
enforcing — The SELinux security policy is enforced.

permissive — The SELinux system prints warnings but does not enforce policy.
This is useful for debugging and troubleshooting purposes. In permissive mode, more denials are logged because subjects can continue with actions that would otherwise be denied in enforcing mode. For example, traversing a directory tree in permissive mode produces avc: denied messages for every directory level read. In enforcing mode, SELinux would have stopped the initial traversal and kept further denial messages from occurring.

disabled — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.

reference SELinux:



Syndicate

Syndicate content

Follow DatabasesLA on Twitter

Who's online

There are currently 0 users and 0 guests online.

Estadisticas

Locations of visitors to this page

hidden hit counter