Disable selinux oracle linux

Содержание

Oracle В® Linux
Administering SELinux
Oracle Legal Notices
Oracle Documentation License
Disable SELinux on Oracle Linux 7
Current SELinux status
Make SELinux status permanent
ChapterВ 1В About Administering SELinux in Oracle Linux
1.1В SELinux Package Descriptions
1.2В Using SELinux Utilities
1.3В Setting SELinux Modes

Oracle В® Linux

Administering SELinux

Oracle Legal Notices

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are «commercial computer software» or «commercial computer software documentation» pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.

Oracle Documentation License

This document uses the Web-based Help format from DocBook XML. The following license information applies to this format.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the «Software»), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Except as contained in this notice, the names of individuals credited with contribution to this software shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from the individuals in question.

Any stylesheet derived from this Software that is publicly distributed will be identified with a different name and the version strings in any derived Software will be changed so that no possibility of confusion between the derived package and this Software will exist.

THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL NORMAN WALSH OR ANY OTHER CONTRIBUTOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Web-based Help from DocBook XML

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the вЂњSoftwareвЂќ), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Warranty: THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL DAVID CRAMER, KASUN GAJASINGHE, OR ANY OTHER CONTRIBUTOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Certain search characteristics associated with the DocBook XSL webhelp stylesheets are provided as javascript files generated using Apache Lucene and other fourth party technologies, which are licensed under the Apache License reproduced below.

Источник

Disable SELinux on Oracle Linux 7

Sometimes when I want to test something or write a prototype of some sort SELinux (Security-Enhanced Linux) kicks in and hinders me, given that it is enabled by default on OL 7 UEK 4. STOP! Before I let you continue to read take a mental note of my disclaimer: I am an advocate of having security turned on by default. It helps us provide better and obviously more secure systems which, in turn, helps the world save time and money. Security should never, ever be turned off for production systems!
With this being said, here are a couple of quick steps for how to get around it.

setenforce 0
vim /etc/sysconfig/selinux
SELINUX=permissive

Here is also a short video on this topic:

Current SELinux status

Linux provides a simple command sestatus — SELinux status tool that tells you, as the name suggests, the status of SELinux:

In my case it is, as per default, enabled. There are three modes for SELinux: enabled , disabled and permissive . I think that enabled and disabled are self explanatory, permissive is slightly different. Permissive is the setting to print warnings instead of enforcing SELinux. This is useful, for example, if you want to test something and see whether SELinux would or wouldn’t allow it. In my case, as this is a test machine, I shouldn’t really care much about whether I set it to disabled or permissive . However, given that security is a good thing and a must for production environments, I can’t see why I would ever set SELinux to disabled if I can have warnings instead and build my software to work with SELinux correctly. So I’m opting for the permissive status instead. Linux has another command that allows you to switch between enabled and permissive in the current running environment. That command is setenforce — modify the mode SELinux is running in . It takes just one parameter and only four values:

Enforcing or 1
Permissive or 0

So, all I have to do is:

That does the trick to set my current environment to permissive: Current mode: permissive . However, that is not a permanent setting. Note line 9 in the output above: Mode from config file: enforcing . That is the setting that the machine will pick up upon reboot. So there is one more task to perform.

Make SELinux status permanent

In order to make the SELinux mode permanent I have to do one more thing: Change the config file. This change is also easy, all you have to do is to open the config file /etc/sysconfig/selinux , set SELINUX=permissive and you are all set:

Источник

ChapterВ 1В About Administering SELinux in Oracle Linux

This chapter describes the SELinux feature and provides tasks for administering SELinux on Oracle Linux systems.

The content in this document was tested against Oracle Linux 8, but generally applies to most Oracle Linux releases, and may also apply to other distributions.

Traditional Linux security is based on a Discretionary Access Control (DAC) policy, which provides minimal protection from broken software or from malware that is running as a normal user or as root . Access to files and devices is based solely on user identity and ownership. Malware or broken software can do anything with files and resources that the user that started the process can do. If the user is root or the application is setuid or setgid to root , the process can have root -access control over the entire file system.

The National Security Agency created Security Enhanced Linux (SELinux) to provide a finer-grained level of control over files, processes, users and applications in the Linux operating system. The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, which allows you to define a security policy that provides granular permissions for all users, programs, processes, files, and devices. The kernel’s access control decisions are based on all the security relevant information available, and not solely on the authenticated user identity.

When security-relevant access occurs, such as when a process attempts to open a file, SELinux intercepts the operation in the kernel. If a MAC policy rule allows the operation, it continues; otherwise, SELinux blocks the operation and returns an error to the process. The kernel checks and enforces DAC policy rules before MAC rules, so it does not check SELinux policy rules if DAC rules have already denied access to a resource.

1.1В SELinux Package Descriptions

SELinux contains several packages, each of which contain specific utilities that you can use to administer SELinux on your Oracle Linux systems. Some packages are installed by default, while other packages are optional.

The following table describes the SELinux packages that are installed by default with Oracle Linux.

Provides utilities such as load_policy , restorecon , secon , setfiles , semodule , sestatus , and setsebool for operating and managing SELinux.

Provides the API that SELinux applications use to get and set process and file security contexts, and to obtain security policy decisions.

Contains Python bindings for developing SELinux applications.

Provides the SELinux Reference Policy, which is used as the basis for other policies, such as the SELinux targeted policy.

Provides support for the SELinux targeted policy, where objects outside the targeted domains run under DAC.

Provides the avcstat , getenforce , getsebool , matchpathcon , selinuxconlist , selinuxdefcon , selinuxenabled , setenforce , and togglesebool utilities.

The following table describes useful SELinux packages that are not installed by default.

Translates SELinux levels, such as s0-s0:c0.c1023 , to an easier-to-read form, such as SystemLow-SystemHigh .

Provides additional Python utilities for operating SELinux, such as audit2allow , audit2why , chcat , and semanage .

Provides support for the strict Multilevel Security (MLS) policy as an alternative to the SELinux targeted policy.

Allows you to view setroubleshoot-server messages by using the sealert command.

Translates access-denial messages from SELinux into detailed descriptions that you can view on the command line using the sealert command.

Provides the Tresys Technology SETools distribution of tools and libraries, which you can use to analyze and query policies, monitor and report audit logs, and manage file context.

Use the dnf command or another suitable package manager to install any additional SELinux packages that you require for your system.

For more information, see the SELinux Project Wiki, the selinux(8) manual page, and other manual pages for the SELinux commands.

1.2В Using SELinux Utilities

The following table describes the utilities that you can use to administer SELinux and information about the packages that contain each utility.

audit2allow

Generates SELinux policy allow_audit rules from logs of denied operations.

audit2why

Generates SELinux policy donвЂ™t_audit rules from logs of denied operations.

avcstat

Displays statistics for the SELinux Access Vector Cache (AVC).

chcat

Changes or removes the security category for a file or user.

findcon

Searches for file context.

fixfiles

Fixes the security context for file systems.

getenforce

Reports the current SELinux mode.

getsebool

Reports SELinux boolean values.

indexcon

Indexes file context.

load_policy

Loads a new SELinux policy into the kernel.

matchpathcon

Queries the system policy and displays the default security context that is associated with the file path.

replcon

Replaces file context.

restorecon

Resets the security context on one or more files.

restorecond

Daemon that watches for file creation and sets the default file context.

sandbox

Runs a command in an SELinux sandbox.

sealert

Acts as the user interface to the setroubleshoot system, which diagnoses and explains SELinux AVC denials and provides recommendations on how to prevent such denials.

seaudit-report

Reports from the SELinux audit log.

sechecker

Checks SELinux policies.

secon

Displays the SELinux context from a file, program, or user input.

sediff

Compares SELinux polices.

seinfo

Queries SELinux policies.

selinuxconlist

Displays all SELinux contexts that are reachable by a user.

selinuxdefcon

Displays the default SELinux context for a user.

selinuxenabled

Indicates whether SELinux is enabled.

semanage

Manages SELinux policies.

semodule

Manages SELinux policy modules.

semodule_deps

Displays the dependencies between SELinux policy packages.

semodule_expand

Expands a SELinux policy module package.

semodule_link

Links SELinux policy module packages together.

semodule_package

Creates a SELinux policy module package.

sesearch

Queries SELinux policies.

sestatus

Displays the SELinux mode and the SELinux policy that are in use.

setenforce

Modifies the SELinux mode.

setsebool

Sets SELinux boolean values.

setfiles

Sets the security context for one or more files.

togglesebool

Flips the current value of an SELinux boolean.

1.3В Setting SELinux Modes

SELinux runs in one of three modes:

The kernel uses only DAC rules for access control. SELinux does not enforce any security policy because no policy is loaded into the kernel.

The kernel denies access to users and programs unless permitted by SELinux security policy rules. All denial messages are logged as AVC (Access Vector Cache) denials. This is the default mode that enforces SELinux security policy.

The kernel does not enforce security policy rules but SELinux sends denial messages to a log file. This allows you to see what actions would have been denied if SELinux were running in enforcing mode. This mode is intended to used for diagnosing the behavior of SELinux.

To display current SELinux mode:

To set the current mode to Enforcing :

To set the current mode to Permissive :

The current value that you set for a mode using setenforce does not persist across reboots. To configure the default SELinux mode, edit the configuration file for SELinux, /etc/selinux/config , and set the value of the SELINUX directive to disabled , enforcing , or permissive .

Источник