Don’t Do It: Disabling SELinux (.PDF Download)

Dec. 19, 2018
Don’t Do It: Disabling SELinux (.PDF Download)

These days, security is one of those things everyone talks about and in this arena, many actually do something about it. Using mandatory-access-control (MAC) systems like SELinux and AppArmor can significantly improve the security of a system, but only if they’re used. For this discussion, we concentrate on SELinux. However, the ideas are applicable to most access-control systems.

Security-Enhanced Linux or SELinux was initially developed by the US National Security Agency (NSA). It’s standard fare on Red Hat Enterprise Linux (RHEL), the community version called CentOS, and Fedora Linux. It works many other incarnations, although it’s not always installed or turned on by default.

Disabling SELinux is easy. Just run setenforce 0. Turning it off permanently is done by setting SELINUX=disabled in the /etc/selinux/config file for CentOS or Fedora.

JUST DON'T DO IT.

Too many “tips” on the web tell readers to do just this when a particular application will not run with SELinux. It’s usually because they’re too lazy to figure out why. While this will typically get an application to run also turns a relatively secure system to a relatively insecure system.

The reason most of these tips arise is that there are few good presentations of SELinux, or other access-control systems, that can be easily found and readily available. Some of the good books on SELinux also tend to be rather daunting; the excuse for not reading them is that security is not important, not my job, etc.

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!