Hi all, I've set SELinux to disabled using the security and firewall widget but I'm still getting a lot of messages in Logwatch....
NULL security context for user, but SELinux in permissive mode, continuing ()
So it looks like SELinux is still operating. Can anyone tell me how to turn it off completely? It's my development server under my desk so I reallly don't care about security.
thanks
2009/1/23 Kevin Thorpe kevin@pricetrak.com:
Hi all, I've set SELinux to disabled using the security and firewall widget but I'm still getting a lot of messages in Logwatch....
NULL security context for user, but SELinux in permissive mode, continuing ()
So it looks like SELinux is still operating. Can anyone tell me how to turn it off completely? It's my development server under my desk so I reallly don't care about security.
system-config-securitylevel selinux -> desactivated, disable (or something like that) and you won't hear from selinux anymore. Laurent.
On Fri, 2009-01-23 at 12:30 +0000, Kevin Thorpe wrote:
Hi all, I've set SELinux to disabled using the security and firewall widget but I'm still getting a lot of messages in Logwatch....
NULL security context for user, but SELinux in permissive mode, continuing ()
So it looks like SELinux is still operating. Can anyone tell me how to turn it off completely? It's my development server under my desk so I reallly don't care about security.
---- changing mode doesn't take effect until next restart
Craig
Kevin Thorpe wrote on Fri, 23 Jan 2009 12:30:58 +0000:
but SELinux in permissive mode
You didn't disable it, you set it to permissive (= report, but don't do anything).
Kai
Kevin Thorpe wrote:
Hi all, I've set SELinux to disabled using the security and firewall widget but I'm still getting a lot of messages in Logwatch....
NULL security context for user, but SELinux in permissive mode, continuing ()
So it looks like SELinux is still operating. Can anyone tell me how to turn it off completely? It's my development server under my desk so I reallly don't care about security.
thanks
It's on the Wiki:
http://wiki.centos.org/HowTos/SELinux#head-430e52f7f8a7b41ad5fc42a2f95d3e495...
Edit the SELINUX= line in /etc/selinux/config to 'disabled' (SELINUX=disabld) and reboot.
Kevin Thorpe wrote:
Hi all, I've set SELinux to disabled using the security and firewall widget but I'm still getting a lot of messages in Logwatch....
NULL security context for user, but SELinux in permissive mode, continuing ()
So it looks like SELinux is still operating. Can anyone tell me how to turn it off completely? It's my development server under my desk so I reallly don't care about security.
I remove all of the selinux packages and disable it as well in
packages I make sure are not installed via kickstart:
CentOS 4.x libselinux libselinux-devel libsepol selinux-policy-targeted
CentOS 5.x libselinux libselinux-devel libselinux-python libsemanage libsepol libsepol-devel selinux-policy selinux-policy-targeted
on CentOS 4.x I also do this via kickstart: sed -i s'/SELINUX=enforcing/SELINUX=disabled'/g /etc/sysconfig/selinux
as using kickstart's internal stuff to disable selinux didn't seem to do the job.
nate
nate wrote:
Kevin Thorpe wrote: packages I make sure are not installed via kickstart:
CentOS 4.x libselinux libselinux-devel libsepol selinux-policy-targeted
CentOS 5.x libselinux libselinux-devel libselinux-python libsemanage libsepol libsepol-devel selinux-policy selinux-policy-targeted
And what does "rpm -q libselinux" say is installed on those systems?
Hint: Well over half the packages in a typical installation, bring in libselinux as a direct or indirect dependency.
Robert Nichols wrote:
And what does "rpm -q libselinux" say is installed on those systems?
Hint: Well over half the packages in a typical installation, bring in libselinux as a direct or indirect dependency.
Yeah that seems true, too bad. I guess as long as it's disabled it's ok. I suppose.
[root@pd1-rsync001:/etc/sysconfig]# sestatus SELinux status: disabled
I can certainly see value in SELinux in some environments, I have yet to operate one where it would provide value to me.
nate
nate wrote:
I can certainly see value in SELinux in some environments, I have yet to operate one where it would provide value to me.
I find that SELinux runs in enforcing mode quite unobtrusively on my laptop, where I'm running a pretty much out-of-the-box Fedora 10. On my CentOS 5 desktop, though, forget it! I'm doing too many things like a dhclient-exit-hooks script that adjusts named.conf and tells the daemon to reload, a script that saves some accounting info when iptables is stopped, various cron jobs that invoke constrained executables to do horrible things like write something to a file, ..., that sort of thing. Every time I take a stab at enabling SELinux in that environment and get close to figuring out enough local policy adjustments and custom labeling to make it work, a new release comes along and none of what I've done works any more. On that system, all removable parts of SELinux have been removed, and all security attributes have been purged from the filesystems.
On Fri, 2009-01-23 at 23:39 -0600, Robert Nichols wrote:
nate wrote:
I can certainly see value in SELinux in some environments, I have yet to operate one where it would provide value to me.
I find that SELinux runs in enforcing mode quite unobtrusively on my laptop, where I'm running a pretty much out-of-the-box Fedora 10. On my CentOS 5 desktop, though, forget it! I'm doing too many things like a dhclient-exit-hooks script that adjusts named.conf and tells the daemon to reload, a script that saves some accounting info when iptables is stopped, various cron jobs that invoke constrained executables to do horrible things like write something to a file, ..., that sort of thing. Every time I take a stab at enabling SELinux in that environment and get close to figuring out enough local policy adjustments and custom labeling to make it work, a new release comes along and none of what I've done works any more. On that system, all removable parts of SELinux have been removed, and all security attributes have been purged from the filesystems.
---- yes and yes
it seems as though RHEL 5.3 has added all of the tools now in Fedora 9/10 and that means a lot of changes are coming down the pipe for SELinux on CentOS 5.
But the tools are clearly better tools - i.e. SETroubleShooter
C'est la vie - the price of adding another layer of security I suppose.
Craig
setenforce 0
2009/1/23 Kevin Thorpe kevin@pricetrak.com
Hi all, I've set SELinux to disabled using the security and firewall widget but I'm still getting a lot of messages in Logwatch....
NULL security context for user, but SELinux in permissive mode, continuing ()
So it looks like SELinux is still operating. Can anyone tell me how to turn it off completely? It's my development server under my desk so I reallly don't care about security.
thanks _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi,
Probably not what you wanted to hear, but:
On Fri, Jan 23, 2009 at 07:30, Kevin Thorpe kevin@pricetrak.com wrote:
It's my development server under my desk
And how do you expect the things you develop to run under SELinux in production?
so I reallly don't care about security.
Sounds bad. (Yes, I know it is out of context, but it is bad in any context.)
If you develop for Linux, in particular for RHEL/CentOS 4 or 5, you should take the opportunity to learn more about SELinux and how to work with it.
You can start here: http://wiki.centos.org/HowTos/SELinux
This mailing list is also a great resource to answer any questions on problems related to SELinux.
HTH, Filipe
Filipe Brandenburger wrote:
Hi,
Probably not what you wanted to hear, but:
On Fri, Jan 23, 2009 at 07:30, Kevin Thorpe kevin@pricetrak.com wrote:
It's my development server under my desk
And how do you expect the things you develop to run under SELinux in production?
so I reallly don't care about security.
Sounds bad. (Yes, I know it is out of context, but it is bad in any context.)
If you develop for Linux, in particular for RHEL/CentOS 4 or 5, you should take the opportunity to learn more about SELinux and how to work with it.
You can start here: http://wiki.centos.org/HowTos/SELinux
I totally agree but I haven't got time at the moment.
-
Barry Brimer -
Craig White -
Filipe Brandenburger -
Kai Schaetzl -
Kevin Thorpe -
Laurent Wandrebeck -
nate -
Ned Slider -
Robert Nichols -
Thiago Avelino