`

4 Effective Methods to Disable SELinux Temporarily or Permanently

阅读更多

http://www.thegeekstuff.com/2009/06/how-to-disable-selinux-redhat-fedora-debian-unix/

 

On some of the Linux distribution SELinux is enabled by default, which may cause some unwanted issues, if you don’t understand how SELinux works and the fundamental details on how to configure it. I strongly recommend that you understand SELinux and implement it on your environment. But, until you understand the implementation details of SELinux you may want to disable it to avoid some unnecessary issues.
 
To disable SELinux you can use any one of the 4 different methods mentioned in this article.

The SELinux will enforce security policies including the mandatory access controls defined by the US Department of Defence using the Linux Security Module (LSM) defined in the Linux Kernel. Every files and process in the system will be tagged with specific labels that will be used by the SELinux. You can use ls -Z and view those labels as shown below.

# ls -Z /etc/

-rw-r--r--  root root  system_u:object_r:etc_t:s0       a2ps.cfg
-rw-r--r--  root root  system_u:object_r:adjtime_t:s0   adjtime
-rw-r--r--  root root  system_u:object_r:etc_aliases_t:s0 aliases
drwxr-x---  root root  system_u:object_r:auditd_etc_t:s0 audit
drwxr-xr-x  root root  system_u:object_r:etc_runtime_t:s0 blkid
drwxr-xr-x  root root  system_u:object_r:bluetooth_conf_t:s0 bluetooth
drwx------  root root  system_u:object_r:system_cron_spool_t:s0 cron.d
-rw-rw-r--  root disk  system_u:object_r:amanda_dumpdates_t:s0 dumpdates

Method 1: Disable SELinux Temporarily

To disable SELinux temporarily you have to modify the /selinux/enforce file as shown below. Please note that this setting will be gone after the reboot of the system.

# cat /selinux/enforce
1

# echo 0 > /selinux/enforce


# cat /selinux/enforce
0

 
You can also use setenforce command as shown below to disable SELinux. Possible parameters to setenforce commands are: Enforcing , Permissive, 1 (enable) or 0 (disable).

# setenforce 0

Method 2: Disable SELinux Permanently

To disable the SELinux permanently, modify the /etc/selinux/config and set the SELINUX=disabled as shown below. One you make any changes to the /etc/selinux/config, reboot the server for the changes to be considered.

# cat /etc/selinux/config

SELINUX=disabled
SELINUXTYPE=targeted
SETLOCALDEFS=0

 
Following are the possible values for the SELINUX variable in the /etc/selinux/config file

  • enforcing – The Security Policy is always Encoforced
  • permissive - This just simulates the enforcing policy by only printing warning messages and not really enforcing the SELinux. This is good to first see how SELinux works and later figure out what policies should be enforced.
  • disabled - Completely disable SELinux

 
Following are the possible values for SELINUXTYPE variable in the /etc/selinux/config file. This indicates the type of policies that can be used for the SELinux.

  • targeted - This policy will protected only specific targeted network daemons.
  • strict - This is for maximum SELinux protection.

Method 3: Disable SELinux from the Grub Boot Loader

If you can’t locate /etc/selinux/config file on your system, you can pass disable SELinux by passing it as parameter to the Grub Boot Loader as shown below.

 

# cat /boot/grub/grub.conf

default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title Enterprise Linux Enterprise Linux Server (2.6.18-92.el5PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.el5PAE ro root=LABEL=/ rhgb quiet selinux=0

initrd /boot/initrd-2.6.18-92.el5PAE.img
title Enterprise Linux Enterprise Linux Server (2.6.18-92.el5)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.el5 ro root=LABEL=/ rhgb quiet selinux=0

initrd /boot/initrd-2.6.18-92.el5.img

Method 4: Disable Only a Specific Service in SELinux – HTTP/Apache

If you are not interested in disability the whole SELinux, you can also disable SELinux only for a specific service. For example, do disable SELinux for HTTP/Apache service, modify the httpd_disable_trans variable in the /etc/selinux/targeted/booleans file.
 
Set the httpd_disable_trans variable to 1 as shown below.

# grep httpd /etc/selinux/targeted/booleans
httpd_builtin_scripting=1
httpd_disable_trans=1

httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
httpd_tty_comm=0
httpd_unified=1

 
Set SELinux boolean value using setsebool command as shown below. Make sure to restart the HTTP service after this change.

# setsebool httpd_disable_trans 1

# service httpd restart
分享到:
评论

相关推荐

    SELinux手册 电子书 pdf 英文

    2. selinux-disable:用于禁用 SELinux。 3. getsebool:用于获取 SELinux 布尔值。 4. setsebool:用于设置 SELinux 布尔值。 5. chcon:用于更改文件的安全上下文。 SELinux 的策略语言是一种特殊的语言,用于...

    VS错误提示:To disable deprecation, use _CRT_SECURE_NO_WARNINGS.

    Severity Code Description ... To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. 解决方案:更改预处理定义 右击项目名,选择Properties 在c/c++下选择Preprocessor 点击图

    selinux_disable:禁用SElinux和IPtable并重新启动

    角色:禁用SELinux和IPTables 禁用SELinux和IPTables以安装并重新引导计算机 要求 没有任何 ... - { role: jermon.selinux_disable } 执照 GPL 作者信息 杰克·蒙特利乌斯(Jerker Montelius)2015

    This shows how to disable control alt and delete by tricking

    This shows how to disable control alt and delete by tricking the computer into thinking that the screensaver is running.

    Android代码-屏蔽home按键

    Utility to disable HOME KEY in Android Activity. As there are a lot questions about "how to disable home button in android?" on Stack Overflow, such as how to disable home button in android? Android ...

    adb,支持adb disable-verity命令,解锁system分区

    4. 永久禁用verity:如果需要在每次启动时都禁用verity,还需要修改设备的引导加载程序配置。 5. 重启设备:完成修改后,使用`adb reboot`命令重启设备。 请注意,这些操作需要对Android系统有一定了解,且可能会...

    Disable Extensions Temporarily-crx插件

    语言:English 一键暂时禁用所有扩展。 再次单击,您将重新启用所有以前禁用的扩展。 有时,您只需要暂时禁用chrome扩展程序即可。 只需单击一下,此扩展程序便可以做到这一点。 更好的是,它可以记住先前启用了哪些...

    How to disable_enable a timing check in a design.pdf

    后仿

    KBA_160615010248_2_how_to_disable_QC3_0_.pdf

    4. **注意事项** - 在进行任何系统级别的修改之前,请确保备份所有重要数据。 - 禁用QC3.0可能会导致设备充电速度减慢,因此需要权衡利弊。 - 如果不是专业技术人员,请在专业人士指导下进行操作。 5. **潜在...

    adb-disable-verity

    "adb-disable-verity"是一个与Android设备管理相关的主题,它涉及到ADB(Android Debug Bridge)工具的使用,特别是针对系统验证功能“verity”的禁用过程。在Android系统中,verity是一种安全特性,用于确保系统...

    暂时禁用扩展「Disable Extensions Temporarily」-crx插件

    再次单击并重新启用所有以前禁用的扩展。 有时,您只需要暂时禁用chrome扩展程序即可。只需单击一下,此扩展程序便可以做到这一点。更好的是,它可以记住先前启用了哪些扩展,并且只需单击一下即可再次启用它们。...

    TCPKeyBlockHook

    TCPKeyBlockHook is a Low Level ...to send a custom message with the keyboard information to the calling application or process.You can use this Component and DLL to disable any or all Keyboard Keys.

    Exploring Selinux for Android

    SELinux提供了丰富的接口供用户探索文件系统,包括文件系统的定位、文件系统的查询、enforce节点、disable文件接口、策略文件、null文件、mls文件、status文件、访问向量缓存、布尔值目录、类目录、初始上下文目录和...

    无 adb disable-verity 命令的adb应用程序

    此adb中无adb disable-verity命令,如果在cmd中输入以上命令会报 /system/bin/sh: disable-verity: not found 的错误。具体可看本人的文章 ”/system/bin/sh: disable-verity: not found 的解决方案“ 【使用方式】...

    华为以太网交换机vlan disable的功能和配置.doc

    4. **配置VLAN Disable后的注意事项**: - 开启VLAN Disable后,交换机不再进行VLAN隔离,每个端口收到的广播报文会被转发到所有其他端口,可能导致广播风暴。 - 虽然VLAN功能被禁用,但仍然可以在交换机上配置...

    ulps_enable_disable.zip

    标题 "ulps_enable_disable.zip" 暗示了这是一个与启用或禁用ULPS相关的软件配置包。ULPS,全称Ultra Low Power State(超低功耗状态),是计算机硬件,特别是显卡中的一种节能技术。它允许设备在不活动时进入一种极...

    USB4 1.0 ECN - Lane Disable Condition.pdf

    USB4 1.0工程变更通知(Engineering Change Notice,ECN)主要针对“Lane Disable Condition”,这是USB4规范1.0版本的一个重要修正。该变更旨在确保在Lane Disable位仍被设置为1b时,系统不会过渡到CLd(Connect ...

    蚁剑的能绕过disable_functions的插件

    蚁剑的能绕过disable_functions的插件,插件无法下载问题

    (免费)提供 adb -disable-verity 支持

    此adb工具包中包含了adb disable-verity命令,这里免费提供给大家使用,具体可看本人的文章 ”/system/bin/sh: disable-verity: not found 的解决方案“ 【使用方式】 platform-tools解压后即可使用。在cmd中通过cd...

Global site tag (gtag.js) - Google Analytics