A few days ago I ran into a big problem and asked it here and I found out that selinux was the cause of that. I have some virtual and physical machines with CentOS 6.7 or 6.9 as OS. They all have databases and I want to disable selinux on them, but i'm not sure if disabling it would effect my databases or not. I wanted to know what happen if I disable selinux to check if it has any bad effects on my system or not. What exactly does selinux do and what happens when it is disabled? Can I disable it without reboot, or is just restarting network or other services is enough?
Asked
Active
Viewed 859 times
0
ctrl-alt-delor
- 27,993
BlackCrystal
- 756
2 Answers
2
Side effects are that additional access restrictions of SELinux are not used anymore. Most of the time, when software is operating normally, there isn't expected to be anything different (usual access control mechanisms are preventing unintended access before SELinux is involved).
However, you should consider investigating the cause of the issue and fixing it (might be due incorrect file labels etc.; impossible to tell without precise details available in logs). Even if you decide to disable SELinux, it is possible to disable the policy module (see semodule) causing the issues or setting the problematic domain in permissive mode (rules are not enforced but are still logged, see semanage-permissive).
sebasth
- 14,872
-
1
-
@RuiFRibeiro And this is why optional security measures are no security measures. – Kusalananda Feb 23 '19 at 10:37
-
1@RuiFRibeiro It is possible to disable a SELinux policy module. Afterwards there should not be any related SELinux log messages as the service runs in unconfined domain. This still allows leaving the rest of SELinux policy in place (how useful it is not so clear). One clear advantage is that should SELinux be enabled again some later time, the configuration is likely much easier. – sebasth Feb 23 '19 at 12:08
0
There can be side effects from disabling the security theater that is selinux (watch exploit after exploit for Linux and ask where selinux is (one CVE exploits sudo compiled with selinux--thanks for holding the door, selinux) and then discover that selinux is helpfully preventing BIOS passwords from being set on lab machines, which was the final straw for selinux for me); in particular KVM virt servers on Centos Linux 7 that host virts that were built with selinux enabled will fail to start those virts after selinux is disabled (setting security_driver="none" did not help), so after wasting yet more time on selinux I ended up with selinux disabled on almost everything, but set to enabled-but-permissive on the virt servers where virts where setup when selinux was enabled. There will likely be other such edge cases and gotchas; selinux was disabled without incident for some mysql and postgresql database servers, but we're not doing much complicated with those database servers.
thrig
- 34,938
rmas the wrong user). I'm just shifting the blame from something that can't really be blamed, to the behaviour that made the operation fail (which is something you can do something about). It's just me doing a bit of psychology on a Saturday morning. Don't mind me. – Kusalananda Feb 23 '19 at 09:53