Moneycontrol Brokerage Recos

Tuesday, April 30, 2013

Swtich SElinux to Permissive mode from Enforcing mode

Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel using the Linux Security Modules (LSM). It is a project of the United States National Security Agency (NSA) and the SELinux community. SELinux integration into Red Hat Enterprise Linux was a joint effort between the NSA and Red Hat.

On EL5/RHEL5+ 11g, Someone might find some error. example:

I was encountering the following error on Oracle 11.2.0.1.0 while trying to connect using sqlplus /nolog on Oracle Linux-5.7
error while loading shared libraries: $ORACLE_HOME/lib/libnnz11.so: cannot restore segment prot after reloc: Permission denied
To overcome this error we need to set SElinux to Permissive mode from Enforcing mode.

If we need to change "Enforcing" mode to the "Permissive" mode, we can use "setenforce" command.
# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

setenforce 1 — SELinux runs in enforcing mode.
setenforce 0 — SELinux runs in permissive mode.
Example:
# getenforce
Enforcing

# setenforce 0

# getenforce
Permissive

# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
.
.
A "setenforce" command, that change mode immediate, and effect until the next reboot.

If we need to use "Permissive" mode at the next reboot, we have to modify /etc/selinux/config file as well.

SELINUX=permissive
SELINUX=enforcing|permissive|disabled

enforcing — The SELinux security policy is enforced.

permissive — The SELinux system prints warnings but does not enforce policy.

This is useful for debugging and troubleshooting purposes. In permissive mode, more denials are logged because subjects can continue with actions that would otherwise be denied in enforcing mode. For example, traversing a directory tree in permissive mode produces avc: denied messages for every directory level read. In enforcing mode, SELinux would have stopped the initial traversal and kept further denial messages from occurring.

disabled — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.

No comments:

Post a Comment