Disable SELinux on Oracle Linux 7

Sometimes when I want to test something or write a prototype of some sort SELinux (Security-Enhanced Linux) kicks in and hinders me, given that it is enabled by default on OL 7 UEK 4. STOP! Before I let you continue to read take a mental note of my disclaimer: I am an advocate of having security turned on by default. It helps us provide better and obviously more secure systems which, in turn, helps the world save time and money. Security should never, ever be turned off for production systems!
With this being said, here are a couple of quick steps for how to get around it.

tl;dr

  • setenforce 0
  • vim /etc/sysconfig/selinux
  • SELINUX=permissive

Here is also a short video on this topic:

Current SELinux status

Linux provides a simple command sestatus - SELinux status tool that tells you, as the name suggests, the status of SELinux:

[root@localhost oracle]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29

In my case it is, as per default, enabled. There are three modes for SELinux: enabled, disabled and permissive. I think that enabled and disabled are self explanatory, permissive is slightly different. Permissive is the setting to print warnings instead of enforcing SELinux. This is useful, for example, if you want to test something and see whether SELinux would or wouldn’t allow it. In my case, as this is a test machine, I shouldn’t really care much about whether I set it to disabled or permissive. However, given that security is a good thing and a must for production environments, I can’t see why I would ever set SELinux to disabled if I can have warnings instead and build my software to work with SELinux correctly. So I’m opting for the permissive status instead. Linux has another command that allows you to switch between enabled and permissive in the current running environment. That command is setenforce - modify the mode SELinux is running in. It takes just one parameter and only four values:

  • Enforcing or 1
  • Permissive or 0

So, all I have to do is:

[root@localhost oracle]# setenforce Permissive

[root@localhost oracle]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29

That does the trick to set my current environment to permissive: Current mode: permissive. However, that is not a permanent setting. Note line 9 in the output above: Mode from config file: enforcing. That is the setting that the machine will pick up upon reboot. So there is one more task to perform.

Make SELinux status permanent

In order to make the SELinux mode permanent I have to do one more thing: Change the config file. This change is also easy, all you have to do is to open the config file  /etc/sysconfig/selinux, set SELINUX=permissive and you are all set:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@localhost oracle]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29

Author: Gerald

Developer, Oracle expert, performance enthusiast and genuine technology geek.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s