- 浏览: 557087 次
- 性别:
- 来自: 上海
文章分类
最新评论
-
binglex:
谢谢,出现这个异常,看来这个贴才发现site-packages ...
cx_Oracle的"Unable to acquire Oracle environment handle"异常 -
lizhongkan:
这样过度比较方便。但如果原来的项目,有几十个依赖的jar包,是 ...
maven2的pom的依赖管理 -
landmine:
博文看不清呀楼主,怎么解决的?我也遇到了
applet在IE下运行极慢而且CPU占用很高 -
strivefuture:
这种方法对FF浏览器,有效吗?
Iframe Shim解决applet挡住ExtJS工具栏菜单问题 -
zw:
老大也有粗心的时候啊!
一个属性未设置导致发mail不成功的郁闷。
You've setup a new system, or installed something new on your Linux system and its not working. You get the feeling that SELinux is the cause of the problem. This page was written to help.
Contents
OverviewShould you really disable SELinux?
Temporarily switch off enforcement
Permanently Permissive
Fully Disabling SELinux
Re-Enabling SELinux
Overview
SELinux has two major components on your system. There's the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there's file labels : every file on your system has extra labels attached to it which tie-in with those access rules. Run ls -Z and you'll see what I mean.Should you really disable SELinux?
Be aware that by disabling SELinux you will be removing a security mechanism on your system. Think about this carefully, and if your system is on the Internet and accessed by the public, then think about it some more. Joshua Brindle (an SELinux developer) has comments on disabling SELinux here, which states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism.You need to decide if you want to disable SELinux temporarily to test the problem, or permanently switch it off. It may also be a better option to make changes to the policy to permit the operations that are being blocked - but this requires knowledge of writing policies and may be a steep learning curve for some people. For the operating system as a whole, there is two kinds of disabling:
- Permissive - switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/changed is still active.
- Disabled - SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with.
Temporarily switch off enforcement
You can switch the system into permissive mode with the following command:echo 0 >/selinux/enforce
You'll need to be logged in as root, and in the sysadm_r role:
newrole -r sysadm_r
To switch back into enforcing mode:
echo 1 >/selinux/enforce
In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above.
To check what mode the system is in,
cat /selinux/enforce
which will print a "0" or "1" for permissive or enforcing - probably printed at the beginning of the line of the command prompt. Permanently Permissive
The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it.
For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,
title SE-Linux Test System
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0
#initrd /boot/initrd-2.4.20-selinux-2003040709.img
Fully Disabling SELinux
Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... and then reboot the system.
For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add selinux=0 at the end. For example,
title SE-Linux Test System
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0
#initrd /boot/initrd-2.4.20-selinux-2003040709.img
You will have to reboot to disable SELinux, you just can't do it while the system is running. Re-Enabling SELinux
If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly.What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot intopermissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.
After booting into permissive mode, runfixfiles relabel
Alternatively, in Fedora and RedHat Enterprise Linux you can runtouch /.autorelabeland reboot or putautorelabelon the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files.
After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again.
发表评论
-
Linux下常见定位问题步骤
2013-05-06 15:42 1472Linux在服务器端,确实高效好用,并且稳定。但是不同的L ... -
netcat(nc)有1024的限制
2013-04-23 15:43 1333gnu的netcat是个非常不错的网络工具,可是当用来模拟发送 ... -
libtools的--tag=cxx command not found错误
2013-03-01 23:14 2188最近因为storm的原因,需要在各Linux(Debian ... -
Linux和Jetty的一点小冲突
2011-09-05 10:29 1808用Grails开发的一个app,发布在jetty中,开始一 ... -
unix下边删除"-"开头的文件
2011-06-10 11:34 2253ftp的时候,不小心创建了一个"-o" ... -
git修改已经提交的信息
2011-02-11 11:31 6980当你不小心,写错了提交的注视/信息,该如何处理呢。理论上, ... -
Redhat EL5:setup Installed (but unpackaged) file(s) found
2011-01-28 11:17 1714在EL5的系统中,使用Python的setup打包rpm的 ... -
install ruby19 and rubygems on Gentoo
2010-08-26 14:39 1497Ruby1.9.2 have released,but i ... -
emerge 小计
2010-07-13 18:01 1374emerge和ebuild是Gentoo的包管理核心,其 ... -
udev管理下的网卡
2010-07-12 17:14 1778最近在VirtualBox中使用Gentoo,不小心发现, ... -
Answers to some common problems and faq's
2010-01-29 17:03 1239Remark: For changes in the . ... -
206-unable to create Linux raw ethernet NIO
2009-11-08 15:32 2531最近处理Netflow的应用,因此找到了Cisco的Sim ... -
svn: OPTIONS错误
2009-06-22 10:49 4642完整的异常如下: svn: OPTIONS of 'http: ... -
ntfs-3g不再支持locale选项了
2009-04-01 18:07 2219如题,今天apt-get upgrade以后,重新启动后,发现 ... -
gitosis再安装(linux)
2009-01-04 17:27 2961有机会在Linux下边安装git服务了,而gitosis对于小 ... -
emacs的regex替换
2008-12-17 12:53 5652好多编辑器都是正则表达式的替换的,比如emacs,其他没有 ... -
git恼人的trailing whitespace
2008-11-22 20:07 18370用git进行版本控制,很爽!完全的分布式管理,让你可攻可守。 ... -
disable alt+click on xfce4
2008-08-02 21:42 1188because of conflict with Mylyn' ... -
set IFS
2008-06-30 15:21 1463IFS=Internal Field Separator 实在 ... -
升级Linux内核错误
2008-06-29 22:04 1727因为要使用ntfs-3g(内核至少2.6.22才不会有wa ...
相关推荐
This shows how to disable control alt and delete by tricking the computer into thinking that the screensaver is running.
后仿
As there are a lot questions about "how to disable home button in android?" on Stack Overflow, such as how to disable home button in android? Android - Is It possible to disable the click of home ...
标题中的“如何禁用Win95/98窗口”表明这是一个关于操作系统,特别是Windows 95和98的教程,具体涉及的是系统界面的自定义和管理。在早期的Windows操作系统中,用户可能会出于安全、性能优化或者个性化需求,想要...
### 如何关闭QC3.0 #### 背景与概述 QC3.0(Quick Charge 3.0)是高通公司推出的一种快速充电技术,旨在为移动设备提供更加快速、高效的充电体验。然而,在某些情况下,用户或制造商可能需要禁用这一功能,比如在...
2. selinux-disable:用于禁用 SELinux。 3. getsebool:用于获取 SELinux 布尔值。 4. setsebool:用于设置 SELinux 布尔值。 5. chcon:用于更改文件的安全上下文。 SELinux 的策略语言是一种特殊的语言,用于...
Severity Code Description ... To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. 解决方案:更改预处理定义 右击项目名,选择Properties 在c/c++下选择Preprocessor 点击图
角色:禁用SELinux和IPTables 禁用SELinux和IPTables以安装并重新引导计算机 要求 没有任何 ... - { role: jermon.selinux_disable } 执照 GPL 作者信息 杰克·蒙特利乌斯(Jerker Montelius)2015
How to disable item like this picture
As there are a lot questions about "how to disable home button in android?" on Stack Overflow, such as how to disable home button in android? Android - Is It possible to disable the click of home b
`adb disable-verity` 是一个特定的adb命令,它涉及到Android系统的安全特性——verity模式。 verity模式是Android为了增强设备的安全性而引入的一种机制。它通过校验系统分区的哈希值来确保系统文件未被篡改,从而...
SELinux提供了丰富的接口供用户探索文件系统,包括文件系统的定位、文件系统的查询、enforce节点、disable文件接口、策略文件、null文件、mls文件、status文件、访问向量缓存、布尔值目录、类目录、初始上下文目录和...
此adb中无adb disable-verity命令,如果在cmd中输入以上命令会报 /system/bin/sh: disable-verity: not found 的错误。具体可看本人的文章 ”/system/bin/sh: disable-verity: not found 的解决方案“ 【使用方式】...
蚁剑的能绕过disable_functions的插件,插件无法下载问题
此adb工具包中包含了adb disable-verity命令,这里免费提供给大家使用,具体可看本人的文章 ”/system/bin/sh: disable-verity: not found 的解决方案“ 【使用方式】 platform-tools解压后即可使用。在cmd中通过cd...
【华为以太网交换机VLAN Disable功能和配置】 在华为的以太网交换机中,VLAN Disable是一项重要的配置选项,它允许用户在特定情况下禁用VLAN功能,以应对一些特殊的网络需求。VLAN(虚拟局域网)通常用于在网络中...
标题 "ulps_enable_disable.zip" 暗示了这是一个与启用或禁用ULPS相关的软件配置包。ULPS,全称Ultra Low Power State(超低功耗状态),是计算机硬件,特别是显卡中的一种节能技术。它允许设备在不活动时进入一种极...
交换机出现err-disable的原因及解决方法 在计算机网络中,交换机是连接各个设备的核心组件。但是,有时候交换机的接口会出现err-disable状态,这会导致网络瘫痪。那么,交换机出现err-disable的原因是什么呢?如何...
WordPress的插件:google字体插件-disable-google-fonts 解压后,请将目录名称:wordpress1,修改为:disable-google-fonts