2

I am running a virtualbox CentOS 6.4 (64 bit) server with Cobbler service. One of the steps is to disable SeLinux in order to prevent a python error when running service cobblers start. If I run setenforce 0 everything is fine, but I have to run that command every time the server restarts. I tried changing /etc/sysconfig/selinux to SELINUX=disabled and also SELINUX=permissive before restarting, but sestatus keeps showing that centOS starts with selinux running. Do I need to change a different config file, or have I configured the selinux file incorrectly?

Youtube video showing selinux config file, rebooting and then checking status

Programster
  • 495
  • 1
  • 13
  • 22
  • It seems like this guy has the same issue in fedora: http://serverfault.com/questions/500957/selinux-disabled-but-still-enforcing?rq=1 – Programster Apr 21 '13 at 11:15
  • 1
    Disabling SELinux is never the right answer. You should put it into Permissive mode, then use "sealert -a /var/log/audit/audit.log" to see what would be blocked in "Enforcing" mode. Remedy those issues with either "restorecon" (mislabeled files), setting SELinux booleans, or using audit2allow to create a custom policy for your system. – tgharold Jun 02 '13 at 22:54

2 Answers2

3

Setting SELINUX=disabled in the file /etc/sysconfig/selinux should be enough. You can also disable it from the kernel. Edit the file /etc/default/grub and add selinux=0 to the GRUB_CMDLINE_LINUX variable and update your GRUB configuration:

shell# grub2-mkconfig -o /etc/grub2.cfg

After rebooting, check SELinux status. The getenforce command should print Disabled.

Spack
  • 1,604
  • 15
  • 22
  • Ok well I have rebooted and used 'getenforce' instead of sestatus. It outputs Enforcing. Here is a video to show: http://youtu.be/hZzP-kOtGfU – Programster Apr 21 '13 at 11:20
  • I've edited my answer. – Spack Apr 21 '13 at 11:32
  • It appears that I do not have a /etc/default/grub file. Perhaps I need to edit the /etc/grub.conf file? There is no GRUB_CMDLINE_LINUX variable in there though. Also grub2-mkconfig -o /etc/grub2.cfg resulted in `grub2-mkconfig: command not found` Perhaps I should let you know that I am running a bare minimal centos 6.4 net-install... – Programster Apr 21 '13 at 11:43
  • @Programster, CentOS 6 is on Grub 1, IIRC. Thus, this part only works on CentOS 7 and later. – maxschlepzig Oct 03 '19 at 09:48
1

you need to set it in /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

The correct location to pass selinux=0 as kernel boot paramater is in /etc/grub.conf

kernel /boot/vmlinuz-2.6.32-358.2.1.el6.x86_64 ro root=/dev/xvda1 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto console=tty0 selinux=0

PS SELinux should be only set to permissive to debug a problem, run it in permissive see what gets logged to /var/log/audit.log fix the denials then switch it back to enforcing do not run it in permissive or disabled long term.

squareborg
  • 592
  • 3
  • 14
  • When I originally read this answer I had not properly read the paths. I needed to change /etc/selinux/config instead of /etc/sysconfig/selinux as you stated. – Programster May 01 '13 at 15:47