Disable SELinux in-session on CentOS 5.10 box

Question

I'm having some issues changing directory permissions that LOOK like they're related to SELinux. I'm trying to figure out how to disable SELinux a) for the remainder of the chef-client session and b) permanently.

Resource:

# Change permissions for mounted repository
directory "/home/analytics" do
  owner "analytics"
  mode "711"
end

Error:

/sbin/restorecon set context /analytics/file failed:'Operation not supported'

Environment:

Test Kitchen, Vagrant driver, and VirtualBox.
Box - Chef provisionerless centos-5.10.

Looks like SELinux is mucking up the works. Great. Let's disable SELinux!

The stock config from Chef's box is set to permissive.

[root@analytics selinux]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#   targeted - Only targeted network daemons are protected.
#   strict - Full SELinux protection.
SELINUXTYPE=targeted

I can template the config and set to disabled, but that will only apply after reboot. Usually disabling SELinux in the current session is done via the CLI (sestatus, setenforce, etc). Our cookbooks (and the official one) rely on this functionality. But it appears to be broken here...

[root@analytics selinux]# sestatus
bash: sestatus: command not found
[root@analytics selinux]# getstatus
bash: getstatus: command not found

[root@analytics selinux]# rpm -q policycoreutils
policycoreutils-1.33.12-14.13.el5

So how do I disable SELinux without rebooting the box or running Chef twice?

sestatus and getenforce are in the '/usr/sbin' directory, so try call them with absolute path. If not found, try reinstall the policycoreutils package. — szpal, Feb 04 '15 at 16:58
Thanks! I was looking for these in /sbin. My mistake. `[vagrant@analytics-centos-510 sbin]$ ls /usr/sbin/se* /usr/sbin/selinuxenabled /usr/sbin/semodule /usr/sbin/sestatus /usr/sbin/semanage /usr/sbin/setenforce` — invict_us, Feb 04 '15 at 20:02

score 0 · Answer 1 · answered Feb 04 '15 at 20:10

I fixed my problem by creating a new .box with the settings in /etc/selinux/config set to DISABLED.

But @szpal is right. The binaries were under /usr/sbin (instead of /sbin, where I had been looking):

[vagrant@analytics-centos-510 sbin]$ ls /usr/sbin/se* /usr/sbin/selinuxenabled /usr/sbin/semodule /usr/sbin/sestatus /usr/sbin/semanage /usr/sbin/setenforce

A quick test indicated you could disable SELinux in-session by simply providing the full path to the execute resource:

execute "disable selinux - running" do
      command "/usr/sbin/setenforce 0"
end

Just FYI, that is not disabling SELinux but setting it in permissive mode. — dawud, Mar 24 '15 at 17:42

Disable SELinux in-session on CentOS 5.10 box

1 Answers1