Wednesday, August 26, 2009

Switch SELinux "Enforcing" mode to "Permissive" mode

Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel using the Linux Security Modules (LSM). It is a project of the United States National Security Agency (NSA) and the SELinux community. SELinux integration into Red Hat Enterprise Linux was a joint effort between the NSA and Red Hat.

On EL5/RHEL5+ 11g, Someone might find some error. example:
error while loading shared libraries: $ORACLE_HOME/lib/ cannot restore segment prot after reloc: Permission denied
That's a bug(FAILS TO LOAD LIBNNZ11.SO WITH SELINUX ENABLED ON EL5/RHEL5)... we need to change SELinux mode. How?

If we need to change "Enforcing" mode to the "Permissive" mode, we can use "setenforce" command.
# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

setenforce 1 — SELinux runs in enforcing mode.
setenforce 0 — SELinux runs in permissive mode.
# getenforce

# setenforce 0

# getenforce

# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
A "setenforce" command,that change mode immediate, and effect until the next reboot.

If we need to use "Permissive" mode at the next reboot, we have to modify /etc/selinux/config file as well.


enforcing — The SELinux security policy is enforced.

permissive — The SELinux system prints warnings but does not enforce policy.
This is useful for debugging and troubleshooting purposes. In permissive mode, more denials are logged because subjects can continue with actions that would otherwise be denied in enforcing mode. For example, traversing a directory tree in permissive mode produces avc: denied messages for every directory level read. In enforcing mode, SELinux would have stopped the initial traversal and kept further denial messages from occurring.

disabled — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.
reference SELinux:

No comments: