Comments on: Aaaaaaaaaaaargh SELinux!

By: David Keen

David Keen — Thu, 08 Jan 2009 16:16:05 +0000

The only time you would really need to relabel a complete file system is when enabling SELinux for the first time or if you have disabled it and then want to enable it at a later date. It just makes sure all files have the correct SELinux context.

The easiest way to do it is to ‘touch /.autorelabel’ and then reboot.

I agree SELinux can be confusing but it is actually a Good Thing, if you want to spend the time learning about it. To be honest you can get a long way with just the basics. The policies in Fedora have improved a great deal since it was first introduced and a lot of things can be fixed by setting booleans. Try ‘getsebool -a’ and ‘man setsebool’.

Also Fedora 10 has a good SELinux assistant if you are running a GUI which will pop up a warning when an access has been denied and will suggest the right command to run to fix the problem.

But yeah, it’s often easiest to just set it to permissive and ignore it.

By: Demian Turner

Demian Turner — Thu, 08 Jan 2009 06:47:27 +0000

@David Keen

Hey, thanks for the info Dave, as a SElinux abstainer I can honestly say this is the first thing I learn about it

I will investigate ‘permissive’ – what is complete relabling?

By: Demian Turner

Demian Turner — Thu, 08 Jan 2009 06:44:39 +0000

@Rob Wilkerson

same here wrt disabling it when it comes to local Fedora/rh installs I setup from scratch, but the gotcha here was the hosting provider enabled it by default. In the 5 or so commercial boxes I’ve setup in the last 12 months, no one had ever enabled it by default. Makes we wonder if this is a Fedora precedent?

By: David Keen

David Keen — Wed, 07 Jan 2009 16:50:16 +0000

Yeah SELinux is fun!

You can get the current SELinux status (which may be different from what’s in the config file) by running ‘getenforce’.

You can also set it like this: ’setenforce permissive’.

This takes effect immediately so is easier for testing than changing the config file and rebooting (although you still need to change the config file to make it permanent.)

Also, if you want to disable SELinux, I’d recommend setting it to permissive rather than disabled. If you disable SELinux completely and then decide you want it at a later date any new files won’t have the right context and lots of stuff will break in a most exciting way. You would then need to do a complete relabel.

By: Rob Wilkerson

Rob Wilkerson — Wed, 07 Jan 2009 14:32:47 +0000

SELinux is one of the most frustrating security devices I’ve ever encountered. Like you, it’s the first thing I disable when installing a new RH-based distro where they seem to like it enabled by default. It’s been a while since my last install, but I believe my last few had an installer option to dis/enable it.

Maybe it’s because I’ve never really understood it (I can honestly say that I have no real sense of how it does what it does), but I’ve run into far more issues with it over the years than it’s worth. Since most of my installs are internal and require no aggressive security, I have the luxury of being able to simply turn it off.