[CentOS] echo 0> /selinux/enforce

Tue Nov 5 22:53:27 UTC 2013
m.roth at 5-cent.us <m.roth at 5-cent.us>

Wes James wrote:
> On Tue, Nov 5, 2013 at 3:38 PM, <m.roth at 5-cent.us> wrote:
>> John R Pierce wrote:
>> > On 11/5/2013 2:15 PM, m.roth at 5-cent.us wrote:
>> >> Wes James wrote:
>> >>> >When does echo 0 > /selinux/inforce need to be used?  I.e., where
>> >>> is selinux enforcing itself on the system to protect it?  When I do
>> >>> yum install of some package, it seems to work (not being blocked).
>> >>> When would doing something not work because selinux is watching it (or
>> >>> whatever that process is doing)?
>> >>> >
>> >> It changes selinux mode from enforcing to permissive, which means it
>> >> still complains, but lets the processes run anyway.
>> >
>> > the most common scenario for selinux problems is when you change
>> > default locations for something, for instance, putting a postgresql
>> > cluster on a different path than /var/lib/postgresql/x.y/data, or have
>> > users with home directories other than /home/$USER
>> >
>> > if you do something like this and get weird errors, you can set
>> > selinux to permissive, and see your thing works.  if so, analyze the
>> > error logs to see what corrective action you need (typically,
>> > relabeling the unusual location for whatever it is).
>> Or you might need to create special local policies for software in
>> non-standard (but standard for your work environment) locations, or for
>> local or third party software that was written in total ignorance or
>> disregard of selinux (such as from CA, or Matlab...), or, in some cases,
>> just leave it in permissive mode.
>>      mark "NOT a fan of selinux, dealt with it far too much"
> OK.  Why not use some other linux that doesn't use selinux then?  I guess
> in permissive mode, you could still monitor the logs and take action, if
> needed.

1. The most widely used distro of Linux in the US is RHEL ("upstream") and
RHEL-derived distros,
         like CentOS. RHEL gives you selinux.
2. You really expect any organization, much less a large one, to change
distros just because
         there's issues that annoy sysadmins, and only occasionally users
(due to sysadmins
         fighting the good fight, and mostly beating the damn thing)?
3. I really, *REALLY* like a *stable* distro (don't get me started on
fedora). None of us
         wants to debug the o/s....

Yeah, I'm the one who does most of the shut selinux up around here....