mardi 28 juin 2016

Desactivate Selinux on centos



You could have a lot of mean issue with the security component selinux. In my experience, you want to run something in behind your apache2 httpd server, it is best to put selinux in permissive mode. Typically, Selinux can
- prevent a tomcat AJP connector to run on a port like 8019, supporting only the default port  8009
- prevent to access some files in that are not under /var/www for svn DAV module
-Prevent samba file sharing to see files in a directory (But the directory itself can be seen


All of these effect are very weird when you first see it, that is why, I recommend to desactivate selinux when you set up a new server. If your server will go on internet, you may harden your server afterwards by activating selinux.

The principle behind  Selinux is to perform a check that one process should go throught a set of rule before accessing a resource. The resource can be
- Socket
- Processes
- Files

For instance, it could put some rules so that httpd cannot not access to any resource on computer and this goes on top of the OS security rules.

The big issue with selinux is that nothing goes into the classical error logs. It is q very dry denial. So if you face an issue that you dont understand on httpd server, it is good to try to desactivate selinux and see what happens.

You can switch the system into permissive mode with the following command: 

 

setenforce

To check what mode the system is in,

  




cat /selinux/enforce




 





The above will switch off enforcement temporarily - until you reboot
the system. If you want the system to always start in permissive mode,
then here is how you do it.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:







# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted








To get you current status you could type



sestatus
















à





















Libellés :
,
,


















Aucun commentaire:











Enregistrer un commentaire







        

      









Inscription à :
Publier les commentaires (Atom)