How to Disable SELinux
You've setup a new system, or installed something new on your Linux system and its not working. You get the feeling that SELinux is the cause of the problem. This page was written to help.
Contents:
Overview
Should you really disable SELinux?
Temporarily switch off enforcement
Permanently Permissive
Fully Disabling SELinux
Re-Enabling SELinux
Overview:
SELinux has two major components on your system. There's the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there's file labels : every file on your system has extra labels attached to it which tie-in with those access rules. Run ls -Z and you'll see what I mean.
Should you really disable SELinux?
Be aware that by disabling SELinux you will be removing a security mechanism on your system. Think about this carefully, and if your system is on the Internet and accessed by the public, then think about it some more. Joshua Brindle (an SELinux developer) has comments on disabling SELinux here, which states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism.
You need to decide if you want to disable SELinux temporarily to test the problem, or permanently switch it off. It may also be a better option to make changes to the policy to permit the operations that are being blocked - but this requires knowledge of writing policies and may be a steep learning curve for some people. For the operating system as a whole, there is two kinds of disabling:
• Permissive - switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/changed is still active.
• Disabled - SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with.
Disabling SELinux could lead to problems if you want to re-enable it again later. When the system runs with file labelling disable it will create files with no label - which could cause problems if the system is booted into Enforcement mode. A full re-labelling of the file system will be necessary.
Temporarily switch off enforcement
You can switch the system into permissive mode with the following command:
echo 0 >/selinux/enforce
You'll need to be logged in as root, and in the sysadm_r role:
newrole -r sysadm_r
To switch back into enforcing mode:
echo 1 >/selinux/enforce
In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above.
To check what mode the system is in,
cat /selinux/enforce
which will print a "0" or "1" for permissive or enforcing - probably printed at the beginning of the line of the command prompt.
Permanently Permissive
The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.
In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it.
For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,
title SE-Linux Test System
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0
#initrd /boot/initrd-2.4.20-selinux-2003040709.img
Fully Disabling SELinux
Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.
In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... and then reboot the system.
For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add selinux=0 at the end. For example,
title SE-Linux Test System
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0
#initrd /boot/initrd-2.4.20-selinux-2003040709.img
You will have to reboot to disable SELinux, you just can't do it while the system is running.
Re-Enabling SELinux
If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly.
What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot into permissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.
After booting into permissive mode, run
fixfiles relabel
Alternatively, in Fedora and RedHat Enterprise Linux you can run
touch /.autorelabel and reboot or put autorelabel on the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files.
After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again.
Thursday, March 4, 2010
Saturday, February 27, 2010
Unix Shells - Basics
Shell in unix acts as a command interpreter between user and Unix kernel as well as provides a strong scripting language .
Here are the different types of Unix shells -
B shell , /bin/sh – This is the default Unix shell for many Unix operating systems .
Bourne shell was written by S. R. Bourne and its more emphasis is to use it as a scripting language rather than an interactive shell .
Some of the features are :
Provided support for environment variables using parameters and exportable variables.
Redirection of program output and error .
Command substitution using back quotes: `command`.
embed a file/commands using input redirector <<
“for ~ do ~ done” loops
"case ~ in ~ esac” for selecting and responding to a data value .
C-shell /bin/csh was designed to provide the interactive features lacking in b shell such as job control and aliasing .
K shell /bin/ksh – was created by David Korn and has features of both B shell and C shell along with some additional features .
Bash – the Bourne again shell was developed by GNU project .It is based on B shell language and has features of C and K shells.
tcsh is the default shell of FreeBSD and its descendants. Essentially it is C shell with programmable command line completion, command-line editing, and a few other features.
Zsh is a shell designed for interactive use and it has many of the useful features of bash, ksh, and tcsh along with many new features.
Unix Shell configuration files:
—————————————————–—————————————————–
b shell
shell prompt : $
executable file : /bin/sh
Read on interactive/non interactive login to bash
/etc/profile
~/.profile
—————————————————–—————————————————–
bash shell
shell prompt : $
executable file : /bin/bash
Read on interactive/non interactive login to bash
/etc/profile
~/.profile
~/.bash_profile
~/.bash_login
Always read on invoking bash
~/.bashrc
/etc/profile login login login
~/.profile login login
—————————————————–—————————————————–
csh shell
shell prompt : %
executable file : /bin/csh
Read on csh shell invocation .
/etc/csh.cshrc
~/.cshrc
Read on interactive/non interactive login to tcsh shell
/etc/.login
/.login
~/.logout
/etc/csh.login
ksh
—————————————————–—————————————————–
shell prompt : $
executable file : /bin/ksh
Read on interactive/non interactive login to bash
/etc/profile
~/.profile
tcsh shell
———————————————————————————————————–
shell prompt : &
executable file : /bin/tcsh
Read on tcsh shell invocation .
~/.tcshrc
/etc/csh.cshrc
~/.cshrc
Read on interactive/non interactive login to tcsh shell
/etc/.login
~/.login
~/.logout
/etc/csh.login
zsh
—————————————————–—————————————————–
shell prompt : $
executable file : zsh
Configuration files :
Always read on invoking zsh
~/.zshenv always
/etc/zshenv always
only read on interactive login to zsh.
~/.zshrc
/etc/zshrc
Read on interactive/non interactive login to zsh
/etc/zprofile login
/etc/zlogin login
/etc/zlogout login
/.zprofile login
~/.zlogin login
~/.zlogout login
—————————————————–—————————————————–
Here are the different types of Unix shells -
B shell , /bin/sh – This is the default Unix shell for many Unix operating systems .
Bourne shell was written by S. R. Bourne and its more emphasis is to use it as a scripting language rather than an interactive shell .
Some of the features are :
Provided support for environment variables using parameters and exportable variables.
Redirection of program output and error .
Command substitution using back quotes: `command`.
embed a file/commands using input redirector <<
“for ~ do ~ done” loops
"case ~ in ~ esac” for selecting and responding to a data value .
C-shell /bin/csh was designed to provide the interactive features lacking in b shell such as job control and aliasing .
K shell /bin/ksh – was created by David Korn and has features of both B shell and C shell along with some additional features .
Bash – the Bourne again shell was developed by GNU project .It is based on B shell language and has features of C and K shells.
tcsh is the default shell of FreeBSD and its descendants. Essentially it is C shell with programmable command line completion, command-line editing, and a few other features.
Zsh is a shell designed for interactive use and it has many of the useful features of bash, ksh, and tcsh along with many new features.
Unix Shell configuration files:
—————————————————–—————————————————–
b shell
shell prompt : $
executable file : /bin/sh
Read on interactive/non interactive login to bash
/etc/profile
~/.profile
—————————————————–—————————————————–
bash shell
shell prompt : $
executable file : /bin/bash
Read on interactive/non interactive login to bash
/etc/profile
~/.profile
~/.bash_profile
~/.bash_login
Always read on invoking bash
~/.bashrc
/etc/profile login login login
~/.profile login login
—————————————————–—————————————————–
csh shell
shell prompt : %
executable file : /bin/csh
Read on csh shell invocation .
/etc/csh.cshrc
~/.cshrc
Read on interactive/non interactive login to tcsh shell
/etc/.login
/.login
~/.logout
/etc/csh.login
ksh
—————————————————–—————————————————–
shell prompt : $
executable file : /bin/ksh
Read on interactive/non interactive login to bash
/etc/profile
~/.profile
tcsh shell
———————————————————————————————————–
shell prompt : &
executable file : /bin/tcsh
Read on tcsh shell invocation .
~/.tcshrc
/etc/csh.cshrc
~/.cshrc
Read on interactive/non interactive login to tcsh shell
/etc/.login
~/.login
~/.logout
/etc/csh.login
zsh
—————————————————–—————————————————–
shell prompt : $
executable file : zsh
Configuration files :
Always read on invoking zsh
~/.zshenv always
/etc/zshenv always
only read on interactive login to zsh.
~/.zshrc
/etc/zshrc
Read on interactive/non interactive login to zsh
/etc/zprofile login
/etc/zlogin login
/etc/zlogout login
/.zprofile login
~/.zlogin login
~/.zlogout login
—————————————————–—————————————————–
Friday, February 26, 2010
Solaris Basic Network Configuration
Solaris Network configuration
Setting up Solaris networking often becomes challenging for the new sysadmins and new owners of Sun systems . This document details the steps involved in setting up of Solaris networking and can be used as a check list if you are already familiar with Solaris network configuration .
Table of contents :
1. Enable the network card
2. Configuring ipaddress and netmask and making the interface status as up .
3. Configuring Virtual interface :
4. Ip-forwarding
5. Router Configuration
6. Network Terms
7. Make the Changes Permanent
Ifconfig command is used in Solaris to configure the network interfaces . The following lines describes the activities needed to configure a freshly installed network card from the root prompt .
1. Enable the network card
#ifconfig hme0 plumb
ifconfig -a command should show following type of output which means device is enabled and is ready to configure ip address and netmask :
hme0: flags=842 mtu 1500
inet 0.0.0.0 netmask 0
ether 3:22:11:6d:2e:1f
2. Configuring ipaddress and netmask and making the interface status as up .
#ifconfig hme0 192.9.2.106 netmask 255.255.255.0 up
#ifconfig -a will now show the ip address , netmask and up status as follows :
hme0: flags=843 mtu 1500
inet 192.9.2.106 netmask ffffff00 broadcast 192.9.2.255
ether 3:22:11:6d:2e:1f
The file /etc/netmasks is used to define netmasks for ip addresses .
127.0.0.1, is the standard loop back route and 127.0.0.0 is the default loopback ipaddress used by the kernel when no interface is configured this will be the only entry displayed by the system on invoking ifconfig -a command..
3. Configuring Virtual interface
Virtual interface can be configured to enable hme0 reply to more then one ip addresses. This is possible by using hme0 alias which can be configured by ifconfig command only . The new alias device name now becomes hme0:1 hme:2 etc.
#ifconfig hme0:1 172.40.30.4 netmask 255.255.0.0 up
ifconfig -a will show the original hme0 and alias interface :
hme0: flags=843 mtu 1500
inet 192.9.2.106 netmask ffffff00 broadcast 192.9.2.255
ether 3:22:11:6d:2e:1f
hme0:1: flags=842 mtu 1500
inet 172.40.30.4 netmask ffff0000 broadcast 172.40.255.255
4. Ip-forwarding
IP forwarding allows you to forward all requests coming for a certain port or URL to be redirected to a specified IP address. IP forwarding becomes enabled automatically when system detects more then one interface at the booting time . The file involved is /etc/rc2.d/S69inet .
Ipforwarding is on by default but can be turned off by following command :
#ndd -set /dev/ip ip_forwarding 0
5. Route Configuration
After interfaces and ipaddess have been configured the system needs a default router which will allow the machine to talk to world outside of local network .
You can specify a particular route for a particular address as in following example
#route add -net 10.0.0.0 -netmask 255.0.0.0 172.40.30.1 1
if the the destination ipaddess is not defined in this manner system forwards all requests to the default router.
Default route is defined manually by editing /etc/defaultrouter file and putting router’s ipaddress entry in it. This file is read by /etc/rc2.d/S69inet file during the booting process and entry added to the routing table .
The route can be defined online also using routeadd command but the changes will be lost on reboot .To make changes permanent make sure to put an entry in /etc/defaultrouter.
#route add default 205.100.155.2 1
#route change default 205.100.155.2 1
The 1 at the end is the number of hops to the next gateway.
If an interface is not responding to the network, check to be sure it has the correct IP address and netmask , network cables are fine .
6.Network Terms
CIDR : Classless Inter-Domain Routing – the notation often used instead of writing the subnet mask along with ip-address . It has network prefix at the end of a address as / number of network bits.This means that the IP address 192.200.20.10 with the subnet mask 255.255.255.0 can also be expressed as 192.200.20.10/24. The /24 indicates the network prefix length, which is equal to the number of continuous binary one-bits in the subnet mask (11111111.11111111.11111111.000000). Zeros are for addressing the hosts on this network.
7. Make the Changes Permanent
To make this change permanent, you will need to edit one or more Solaris configuration files. If you do not, then your IP address will change back to the old address the next time you reboot the system.
You will need to edit the hosts entry in /etc/hosts
If you have moved the system to a new network, you will need to change the default route in /etc/defaultrouter.
If you are using VLSM (Variable Length Subnet Masks), you may need to edit /etc/netmasks
If you are using Solaris 9 or above, you may need to edit the IP address in /etc/inet/ipnodes
You should then reboot the server to test your changes and ensure that they operate correctly.
Setting up Solaris networking often becomes challenging for the new sysadmins and new owners of Sun systems . This document details the steps involved in setting up of Solaris networking and can be used as a check list if you are already familiar with Solaris network configuration .
Table of contents :
1. Enable the network card
2. Configuring ipaddress and netmask and making the interface status as up .
3. Configuring Virtual interface :
4. Ip-forwarding
5. Router Configuration
6. Network Terms
7. Make the Changes Permanent
Ifconfig command is used in Solaris to configure the network interfaces . The following lines describes the activities needed to configure a freshly installed network card from the root prompt .
1. Enable the network card
#ifconfig hme0 plumb
ifconfig -a command should show following type of output which means device is enabled and is ready to configure ip address and netmask :
hme0: flags=842 mtu 1500
inet 0.0.0.0 netmask 0
ether 3:22:11:6d:2e:1f
2. Configuring ipaddress and netmask and making the interface status as up .
#ifconfig hme0 192.9.2.106 netmask 255.255.255.0 up
#ifconfig -a will now show the ip address , netmask and up status as follows :
hme0: flags=843 mtu 1500
inet 192.9.2.106 netmask ffffff00 broadcast 192.9.2.255
ether 3:22:11:6d:2e:1f
The file /etc/netmasks is used to define netmasks for ip addresses .
127.0.0.1, is the standard loop back route and 127.0.0.0 is the default loopback ipaddress used by the kernel when no interface is configured this will be the only entry displayed by the system on invoking ifconfig -a command..
3. Configuring Virtual interface
Virtual interface can be configured to enable hme0 reply to more then one ip addresses. This is possible by using hme0 alias which can be configured by ifconfig command only . The new alias device name now becomes hme0:1 hme:2 etc.
#ifconfig hme0:1 172.40.30.4 netmask 255.255.0.0 up
ifconfig -a will show the original hme0 and alias interface :
hme0: flags=843 mtu 1500
inet 192.9.2.106 netmask ffffff00 broadcast 192.9.2.255
ether 3:22:11:6d:2e:1f
hme0:1: flags=842 mtu 1500
inet 172.40.30.4 netmask ffff0000 broadcast 172.40.255.255
4. Ip-forwarding
IP forwarding allows you to forward all requests coming for a certain port or URL to be redirected to a specified IP address. IP forwarding becomes enabled automatically when system detects more then one interface at the booting time . The file involved is /etc/rc2.d/S69inet .
Ipforwarding is on by default but can be turned off by following command :
#ndd -set /dev/ip ip_forwarding 0
5. Route Configuration
You can specify a particular route for a particular address as in following example
#route add -net 10.0.0.0 -netmask 255.0.0.0 172.40.30.1 1
if the the destination ipaddess is not defined in this manner system forwards all requests to the default router.
Default route is defined manually by editing /etc/defaultrouter file and putting router’s ipaddress entry in it. This file is read by /etc/rc2.d/S69inet file during the booting process and entry added to the routing table .
The route can be defined online also using routeadd command but the changes will be lost on reboot .To make changes permanent make sure to put an entry in /etc/defaultrouter.
#route add default 205.100.155.2 1
#route change default 205.100.155.2 1
The 1 at the end is the number of hops to the next gateway.
If an interface is not responding to the network, check to be sure it has the correct IP address and netmask , network cables are fine .
6.Network Terms
CIDR : Classless Inter-Domain Routing – the notation often used instead of writing the subnet mask along with ip-address . It has network prefix at the end of a address as / number of network bits.This means that the IP address 192.200.20.10 with the subnet mask 255.255.255.0 can also be expressed as 192.200.20.10/24. The /24 indicates the network prefix length, which is equal to the number of continuous binary one-bits in the subnet mask (11111111.11111111.11111111.000000). Zeros are for addressing the hosts on this network.
7. Make the Changes Permanent
To make this change permanent, you will need to edit one or more Solaris configuration files. If you do not, then your IP address will change back to the old address the next time you reboot the system.
You will need to edit the hosts entry in /etc/hosts
If you have moved the system to a new network, you will need to change the default route in /etc/defaultrouter.
If you are using VLSM (Variable Length Subnet Masks), you may need to edit /etc/netmasks
If you are using Solaris 9 or above, you may need to edit the IP address in /etc/inet/ipnodes
You should then reboot the server to test your changes and ensure that they operate correctly.
Saturday, February 20, 2010
From my experience...the systems science!
From all the experiences, I would say many times system administration is a combination of -- scientific processes, philosophy and engineering. And more of scientific process in many aspects, a computer science by no means mutually exclusive.
First, it does have a series of methodologies and best practices that are often outlined in the few good books on system administration out there. Not that they are always followed by any means or that they fit every situation, but a large amount of trial-and-error in doing things like setting up machines and preparing for outages went into setting up those practices.
Second, even when handling issues when they arise, system administrators often have to use "scientific" principles and methodologies (such as logic, deduction, inference, etc) in order to deal with them. Research online and off on the subject matter, attempts to solve problems through trial-and-error, gathering empirical evidence from such attempts to solve a problem or improve a process with different methods--those are all fairly scientific if you ask me.
Yes, at times, there does seem to be an almost "black art" feel to system administration. There is rarely ever a single solution to any problem nor a single methodology that works every time. Moreover, at times it is possible to recognize the work/thought processes of some system administrators just as you would the creation and end result of a painting by Picasso or of a musical piece by Chopin.
For me, when setting up new systems and architectures as well as when troubleshooting problems as they arise both generally have proven processes that can work to get the job done. At the very least, those processes and mental or physical checklists often help immensely by guiding me down a path that might work, or at least from which I can learn where it needs to be changed/improved in order to make it work. I may need to take some creative leaps in order to get to there from here, but underlying it all are the "scientific" principles such as logic and deduction mentioned above.
At its very core, however, isn't one large facet of "scientific endeavor" really the solving of problems along with developing the methodologies to do so? And setting up systems to perform certain tasks as well as troubleshooting or planning for issues that arise or that might arise are also problems that need to be solved. In some generic cases, solutions already exist and their processes can be easily followed. In other cases, a little more creativity is involved but it is still, at the core, problem solving using "scientific" methods.
Finally Philosophy comes into play when a systems organization employs different components requiring understanding the infrastructure landscape.
Cheers
Manju
First, it does have a series of methodologies and best practices that are often outlined in the few good books on system administration out there. Not that they are always followed by any means or that they fit every situation, but a large amount of trial-and-error in doing things like setting up machines and preparing for outages went into setting up those practices.
Second, even when handling issues when they arise, system administrators often have to use "scientific" principles and methodologies (such as logic, deduction, inference, etc) in order to deal with them. Research online and off on the subject matter, attempts to solve problems through trial-and-error, gathering empirical evidence from such attempts to solve a problem or improve a process with different methods--those are all fairly scientific if you ask me.
Yes, at times, there does seem to be an almost "black art" feel to system administration. There is rarely ever a single solution to any problem nor a single methodology that works every time. Moreover, at times it is possible to recognize the work/thought processes of some system administrators just as you would the creation and end result of a painting by Picasso or of a musical piece by Chopin.
For me, when setting up new systems and architectures as well as when troubleshooting problems as they arise both generally have proven processes that can work to get the job done. At the very least, those processes and mental or physical checklists often help immensely by guiding me down a path that might work, or at least from which I can learn where it needs to be changed/improved in order to make it work. I may need to take some creative leaps in order to get to there from here, but underlying it all are the "scientific" principles such as logic and deduction mentioned above.
At its very core, however, isn't one large facet of "scientific endeavor" really the solving of problems along with developing the methodologies to do so? And setting up systems to perform certain tasks as well as troubleshooting or planning for issues that arise or that might arise are also problems that need to be solved. In some generic cases, solutions already exist and their processes can be easily followed. In other cases, a little more creativity is involved but it is still, at the core, problem solving using "scientific" methods.
Finally Philosophy comes into play when a systems organization employs different components requiring understanding the infrastructure landscape.
Cheers
Manju
Subscribe to:
Posts (Atom)
