SELinux set to disabled then going back to permissive

Support for security such as Firewalls and securing linux
Post Reply
ron7000
Posts: 103
Joined: 2019/01/15 20:00:28

SELinux set to disabled then going back to permissive

Post by ron7000 » 2019/05/19 04:54:05

  • tried making samba work, it would not; come to find out [correct me if i'm wrong] that default install of CentOS (or RHEL) that SELinux is set to enforcing but only SSH for example is allowed (ignorance is bliss) but SAMBA is not.
  • so I hastily found out about /etc/selinux/config and I set that sucker to disabled. Bamm, after reboot samba magically works.
  • then 5 minutes after reboot... reading the other option about permissive in the header of that file (as well as on the web and RHEL security guide) I am thinking I should have set it to permissive not disabled.
  • So I did, did a reboot, and system actually automatically rebooted twice on me but it came back up.
  • Now SSH does not work; so i went back to disabled, and SSH works.
Can somebody summarize what's happening and let me know what else needs to be done now to get things back in proper order? I thought the permissive settings was supposed to act like disabled and allow anything to happen but with an entry or warning in /var/log/audit/audit.log saying something to the effect of this service/process raised a red flag with selinux for whatever reason?

User avatar
TrevorH
Forum Moderator
Posts: 26320
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux set to disabled then going back to permissive

Post by TrevorH » 2019/05/19 11:41:11

tried making samba work, it would not; come to find out [correct me if i'm wrong] that default install of CentOS (or RHEL) that SELinux is set to enforcing but only SSH for example is allowed (ignorance is bliss) but SAMBA is not.
No. Not true. This is true of firewall rules - only ssh is allowed out of the box and nothing else. But selinux, no.
then 5 minutes after reboot... reading the other option about permissive in the header of that file (as well as on the web and RHEL security guide) I am thinking I should have set it to permissive not disabled.
Yes, you're right that would have been better. Even better than that would haev been to leave it alone and just run setenforce 0 as root to go from enforcing into permissive mode on the fly (no reboot required, in fact that turns it back on).
Can somebody summarize what's happening
When you disable it then it then new files that are created after that point do not get assigned selinux contexts. When you turn it back on and try to access those new files, access will be denied as the selinux context is wrong (or not set).

You cannot just go from disabled to enforcing in one go. You must:

edit /etc/sysconfig/selinux and turn it from disabled to permissive and save it. Now touch /.autorelabel; reboot and the system will reboot in permissive mode and relabel the entire filesystem, assigning the correct selinux labels to every file on the system. When that is done you can edit the file again and change permissive to enforcing.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

ron7000
Posts: 103
Joined: 2019/01/15 20:00:28

Re: SELinux set to disabled then going back to permissive

Post by ron7000 » 2019/05/20 03:21:25

thanks,

i should clarify what happened with SAMBA (and this was on RHEL 7.6) that from win7 or win10 I could go to \\mylinuxserver and I did see the folder share however when i tried to enter than folder I then got denied with a non specific contact you administrator popup in windows. It was then that I disabled selinux and rebooted RHEL and then I could immediately access that share. Ok so problem narrowed down to selinux.

I did nothing else on the linux system (no new files created) other than log in as root and modify /etc/selinux/config and reboot and test my samba share only trying to enter the share folder. It was then that I went from disabled to permissive mode and got the double reboot but now when trying to SSH from my pc on the LAN to this server i was denied on that (i did not try the samba share)

I am pretty sure that in RHEL the default setting after install from dvd is enforcing; iwhen I get a chance i will boot my other disk of centos 7.6 and see what that selinux setting is which i assume is enforcing, haven't had a chance to mess with my centos disk to the extent that i want my priority right now is RHEL which I assume once I get that figured out everything learned will apply directly to centos

User avatar
TrevorH
Forum Moderator
Posts: 26320
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux set to disabled then going back to permissive

Post by TrevorH » 2019/05/20 06:04:36

It was then that I disabled selinux and rebooted RHEL and then I could immediately access that share. Ok so problem narrowed down to selinux.
Which would have been much more easily diagnosed just by going to permissive by running setenforce 0 which takes effect immediately and requires no reboot.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply