One of the first things I usually do with most of my servers is disable SELinux. Optimally, you should configure SELinux to allow the services you need, but instead you can just disable the whole darn thing!
SELinux has 3 basic operating modes:
Enforcing – SELinux security policy is fully enforced.
Permissive – SELinux prints warnings instead of denying actions.
Disabled – SELinux is completely disabled.
If you plan on ever utilizing the extra security available with SELinux, you should choose the Permissive mode, so you can log any potential problems and create policies within SELinux to allow those actions.
We can check what mode SELinux is currently running in with the following command:
bash# cat /selinux/enforce 0bash#
Notice the 0 at the beginning of the second line; that is our current SELinux mode.
To temporarily put SELinux into disabled mode (until the next reboot) use the following command:
bash# echo 0 > /selinux/enforce
Conversely, to switch back to enforcing mode:
bash# echo 1 > /selinux/enforce
Nest, to permanently change the SELinux mode, edit /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Change the SELINUX= line to match your desired level.
Also, some Linux distributions use kernel flags at boot time to enable or disable SELinux. If you don’t have a /etc/selinux/config file, then look in your /boot/grub/grub.conf file, and add enforcing=0 to the end of your kernel boot line, like this:
# grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/mapper/vg_kickstart-lv_root # initrd /initrd-[generic-]version.img #boot=/dev/vda default=0 timeout=0 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Fedora (126.96.36.199-5.fc15.x86_64) root (hd0,0) kernel /vmlinuz-188.8.131.52-5.fc15.x86_64 ro root=/dev/mapper/vg_kickstart-lv_root rd_LVM_LV=vg_kickstart/lv_root rd_LVM_LV=vg_kickstart/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us rhgb quiet enforcing=0 initrd /initramfs-184.108.40.206-5.fc15.x86_64.img
To re-enable SELinux you must complete some additional steps.
First change the SELinux type to permissive and reboot. Next run the touch /.autorelabel command, reboot again to relabel all the files. Finally change the SELinux type to enabled and reboot again! Please note that all the files will be relabeled for SELinux, which can take some time if there are a lot of files.