When does echo 0 > /selinux/inforce need to be used? I.e., where is selinux enforcing itself on the system to protect it? When I do yum install of some package, it seems to work (not being blocked). When would doing something not work because selinux is watching it (or whatever that process is doing)? Thanks, -wes
Wes James wrote:> When does echo 0 > /selinux/inforce need to be used? I.e., where is > selinux enforcing itself on the system to protect it? When I do yum > install of some package, it seems to work (not being blocked). When would > doing something not work because selinux is watching it (or whatever that > process is doing)? >It changes selinux mode from enforcing to permissive, which means it still complains, but lets the processes run anyway. mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/05/2013 05:13 PM, Wes James wrote: First you should use setenforce 0/setenforce 1. Theoretically never. It should really be discouraged. It is like the Enterprise bringing it "Shields" down. SELinux in permissive mode will continue to do access checks but just logs them but does not block access. SELinux blocks "confined" processes, but usually does not block the administrator who is running as unconfined_t, and is allowed to do everything he could do if SELinux was disabled. Confined processes are targeted to system services. Stuff that is started at boot versus processes started by a logged in user. I blog on the topic alot at danwalsh.livejournal.com BTW, When do I need to setenforce 0? SELinux is a labeling system, if your labels get screwed up, you might need to setenforce 0 to get the system to run. Commands like restorecon/fixfiles can be used to restore the labels on your system to the default. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJ6XwwACgkQrlYvE4MpobMmMwCg5mhtu7o7m6gBvJBgyUkMwO8Y OpgAoOuUAvzGx6vG6bjs082iLtHbgY7L =O2TM -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/05/2013 05:13 PM, Wes James wrote:> When does echo 0 > /selinux/inforce need to be used? I.e., where is > selinux enforcing itself on the system to protect it? When I do yum > install of some package, it seems to work (not being blocked). When would > doing something not work because selinux is watching it (or whatever that > process is doing)? > > Thanks, > > -wes _______________________________________________ CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >First you should use setenforce 0/setenforce 1. Theoretically never. It should really be discouraged. It is like the Enterprise bringing it "Shields" down. SELinux in permissive mode will continue to do access checks but just logs them but does not block access. SELinux blocks "confined" processes, but usually does not block the administrator who is running as unconfined_t, and is allowed to do everything he could do if SELinux was disabled. Confined processes are targeted to system services. Stuff that is started at boot versus processes started by a logged in user. I blog on the topic alot at danwalsh.livejournal.com BTW, When do I need to setenforce 0? SELinux is a labeling system, if your labels get screwed up, you might need to setenforce 0 to get the system to run. Commands like restorecon/fixfiles can be used to restore the labels on your system to the default. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJ6XwwACgkQrlYvE4MpobOeiwCfeBWEzs+qJwsRds7TswCfJP92 H74AnjEuUoHXYDt3O5aujDE9bUGZGMCA =mcYt -----END PGP SIGNATURE-----