Инструменты пользователя
linux:selinux
Warning: Undefined array key -1 in /home/virtwww/w_linko22-ru_c0d3353b/http/inc/html.php on line 1458
Различия
Показаны различия между двумя версиями страницы.
| Предыдущая версия справа и слева Предыдущая версия Следующая версия | Предыдущая версия | ||
|
linux:selinux [2011/10/10 14:00] linko22@gmail.com |
linux:selinux [2011/10/10 14:18] (текущий) linko22@gmail.com [Re-Enabling SELinux] |
||
|---|---|---|---|
| Строка 6: | Строка 6: | ||
| ===== Overview ===== | ===== Overview ===== | ||
| - | SELinux has two major components on your system. There' | + | SELinux has two major components on your system. There' |
| + | <code bash>ls -Z</ | ||
| + | and you'll see what I mean. | ||
| ===== Should you really disable SELinux? ===== | ===== Should you really disable SELinux? ===== | ||
| Be aware that by disabling SELinux you will be removing a security mechanism on your system. Think about this carefully, and if your system is on the Internet and accessed by the public, then think about it some more. Joshua Brindle (an SELinux developer) has comments on disabling SELinux here, which states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism. | Be aware that by disabling SELinux you will be removing a security mechanism on your system. Think about this carefully, and if your system is on the Internet and accessed by the public, then think about it some more. Joshua Brindle (an SELinux developer) has comments on disabling SELinux here, which states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism. | ||
| You need to decide if you want to disable SELinux temporarily to test the problem, or permanently switch it off. It may also be a better option to make changes to the policy to permit the operations that are being blocked - but this requires knowledge of writing policies and may be a steep learning curve for some people. For the operating system as a whole, there is two kinds of disabling: | You need to decide if you want to disable SELinux temporarily to test the problem, or permanently switch it off. It may also be a better option to make changes to the policy to permit the operations that are being blocked - but this requires knowledge of writing policies and may be a steep learning curve for some people. For the operating system as a whole, there is two kinds of disabling: | ||
| - | Permissive - switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/ | + | * Permissive - switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/ |
| - | Disabled - SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with. | + | *Disabled - SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with. |
| Disabling SELinux could lead to problems if you want to re-enable it again later. When the system runs with file labelling disable it will create files with no label - which could cause problems if the system is booted into Enforcement mode. A full re-labelling of the file system will be necessary. | Disabling SELinux could lead to problems if you want to re-enable it again later. When the system runs with file labelling disable it will create files with no label - which could cause problems if the system is booted into Enforcement mode. A full re-labelling of the file system will be necessary. | ||
| ===== Temporarily switch off enforcement ===== | ===== Temporarily switch off enforcement ===== | ||
| You can switch the system into permissive mode with the following command: | You can switch the system into permissive mode with the following command: | ||
| - | echo 0 >/ | + | |
| + | <code bash>echo 0 >/ | ||
| You'll need to be logged in as root, and in the sysadm_r role: | You'll need to be logged in as root, and in the sysadm_r role: | ||
| - | newrole -r sysadm_r | + | |
| + | <code bash>newrole -r sysadm_r</ | ||
| To switch back into enforcing mode: | To switch back into enforcing mode: | ||
| - | echo 1 >/ | + | |
| + | <code bash>echo 1 >/ | ||
| In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above. | In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above. | ||
| + | |||
| To check what mode the system is in, | To check what mode the system is in, | ||
| - | cat / | + | <code bash>cat / |
| which will print a " | which will print a " | ||
| ===== Permanently Permissive ===== | ===== Permanently Permissive ===== | ||
| Строка 32: | Строка 41: | ||
| In Fedora Core and RedHat Enterprise, edit / | In Fedora Core and RedHat Enterprise, edit / | ||
| + | <code bash> | ||
| # This file controls the state of SELinux on the system. | # This file controls the state of SELinux on the system. | ||
| # SELINUX= can take one of these three values: | # SELINUX= can take one of these three values: | ||
| Строка 43: | Строка 52: | ||
| # strict - Full SELinux protection. | # strict - Full SELinux protection. | ||
| SELINUXTYPE=targeted | SELINUXTYPE=targeted | ||
| - | ... just change SELINUX=enforcing to SELINUX=permissive, | + | </ |
| - | For the other Linuxes which don't have the / | + | ... just change |
| + | For the other Linuxes which don't have the **/ | ||
| + | <code bash> | ||
| title SE-Linux Test System | title SE-Linux Test System | ||
| root (hd0,0) | root (hd0,0) | ||
| kernel / | kernel / | ||
| #initrd / | #initrd / | ||
| + | </ | ||
| ===== Fully Disabling SELinux ===== | ===== Fully Disabling SELinux ===== | ||
| Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling. | Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling. | ||
| - | In Fedora Core and RedHat Enterprise, edit / | + | In Fedora Core and RedHat Enterprise, edit **/ |
| + | <code bash> | ||
| # This file controls the state of SELinux on the system. | # This file controls the state of SELinux on the system. | ||
| # SELINUX= can take one of these three values: | # SELINUX= can take one of these three values: | ||
| Строка 67: | Строка 78: | ||
| # strict - Full SELinux protection. | # strict - Full SELinux protection. | ||
| SELINUXTYPE=targeted | SELINUXTYPE=targeted | ||
| + | </ | ||
| ... and then reboot the system. | ... and then reboot the system. | ||
| - | For the other Linuxes which don't have the / | + | For the other Linuxes which don't have the **/ |
| + | <code bash> | ||
| title SE-Linux Test System | title SE-Linux Test System | ||
| root (hd0,0) | root (hd0,0) | ||
| kernel / | kernel / | ||
| #initrd / | #initrd / | ||
| + | </ | ||
| You will have to reboot to disable SELinux, you just can't do it while the system is running. | You will have to reboot to disable SELinux, you just can't do it while the system is running. | ||
| ===== Re-Enabling SELinux ===== | ===== Re-Enabling SELinux ===== | ||
| If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly. | If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly. | ||
| - | What you need to do is to enable SELinux by editing / | + | What you need to do is to enable SELinux by editing |
| After booting into permissive mode, run | After booting into permissive mode, run | ||
| - | fixfiles relabel | + | <code bash>fixfiles relabel</ |
| Alternatively, | Alternatively, | ||
| - | touch / | + | <code bash>touch / |
| and reboot or put | and reboot or put | ||
| - | autorelabel | + | <code bash>autorelabel</ |
| on the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files. | on the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files. | ||
| After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again. | After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again. | ||
linux/selinux.1318240838.txt.gz · Последнее изменение: 2011/10/10 14:00 — linko22@gmail.com
Инструменты страницы
Если не указано иное, содержимое этой вики предоставляется на условиях следующей лицензии: CC Attribution-Noncommercial-Share Alike 4.0 International
