Discussion:
Unable to disable SELinux
Paul Cocker
2009-03-13 12:25:51 UTC
Permalink
Running SELinux on a CentOS 5.2 box, Im trying to temporarily disable
SELinux via one of the following methods:

1. sudo echo 0 > /selinux/enforce

2. sudo vim /selinux/enforce

The first comes back with

-bash: /selinux/enforce: Permission denied

The second comes back with

Could not set security context for /home/paulc/enforcz~

Could not set security context for /home/paulc/enforcz~
"enforce" E667: Fsync failed
Press ENTER or type command to continue


I believe the first method has worked for me before, but it's possible I
have made changes since then. It was some time ago. What's the cause of
this issue?


Paul Cocker



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
Stephen Smalley
2009-03-13 12:42:39 UTC
Permalink
Post by Paul Cocker
Running SELinux on a CentOS 5.2 box, Im trying to temporarily disable
1. sudo echo 0 > /selinux/enforce
Typically one would run the setenforce 0 command, but that is equivalent
to what you are doing above.
Post by Paul Cocker
2. sudo vim /selinux/enforce
The first comes back with
-bash: /selinux/enforce: Permission denied
This means that your SELinux policy prevented you from changing the
enforcing status. What context are you operating in (id -Z)? What
context is sudo running the command in (sudo id -Z)?
Post by Paul Cocker
The second comes back with
Could not set security context for /home/paulc/enforcz~
Could not set security context for /home/paulc/enforcz~
"enforce" E667: Fsync failed
Press ENTER or type command to continue
/selinux/enforce isn't a real file; it is a pseudo file exported by the
kernel as an interface. So you shouldn't be editing it. In this case,
vi is complaining because it is trying to preserve the context of the
original pseudo file on its backup copy, and that context isn't valid
for a file on a real filesystem.
Post by Paul Cocker
I believe the first method has worked for me before, but it's possible I
have made changes since then. It was some time ago. What's the cause of
this issue?
It's a policy denial - SELinux is preventing whatever context you are
running in from switching the enforcing status.
--
Stephen Smalley
National Security Agency
Martin Orr
2009-03-14 00:36:08 UTC
Permalink
Post by Stephen Smalley
Post by Paul Cocker
Running SELinux on a CentOS 5.2 box, Im trying to temporarily disable
1. sudo echo 0 > /selinux/enforce
Typically one would run the setenforce 0 command, but that is equivalent
to what you are doing above.
This isn't true because the redirection will be interpreted by the non-root
shell. You should either do:
sudo setenforce 0
as Stephen suggests, or if you really want to,
sudo sh -c "echo 0 > /selinux/enforce"
Post by Stephen Smalley
Post by Paul Cocker
2. sudo vim /selinux/enforce
The first comes back with
-bash: /selinux/enforce: Permission denied
This means that your SELinux policy prevented you from changing the
enforcing status. What context are you operating in (id -Z)? What
context is sudo running the command in (sudo id -Z)?
No, I think it is DAC because the shell will attempt to open
/selinux/enforce before running sudo.

Best wishes,
--
Martin Orr
Justin Mattock
2009-03-14 20:37:40 UTC
Permalink
Post by Martin Orr
Post by Stephen Smalley
Post by Paul Cocker
Running SELinux on a CentOS 5.2 box, Im trying to temporarily disable
1. sudo echo 0 > /selinux/enforce
Typically one would run the setenforce 0 command, but that is equivalent
to what you are doing above.
This isn't true because the redirection will be interpreted by the non-root
sudo setenforce 0
as Stephen suggests, or if you really want to,
sudo sh -c "echo 0 > /selinux/enforce"
Post by Stephen Smalley
Post by Paul Cocker
2. sudo vim /selinux/enforce
The first comes back with
-bash: /selinux/enforce: Permission denied
This means that your SELinux policy prevented you from changing the
enforcing status.  What context are you operating in (id -Z)?  What
context is sudo running the command in (sudo id -Z)?
No, I think it is DAC because the shell will attempt to open
/selinux/enforce before running sudo.
Best wishes,
--
Martin Orr
--
This message was distributed to subscribers of the selinux mailing list.
the words "unsubscribe selinux" without quotes as the message.
I would just use selinux=0 enforcing=0
as a boot param(but If the system doesn't boot
because of selinux=0) then enforcing=0 as a boot.
but then you still might receive a permissions denied
due to /etc/selinux/config saying "enforcing"
(if this is the case then load a livecd mount the hard drive,
and use vim to edit /etc/selinux/config, and /boot/grub/* to
set everything in permissive.
--
Justin P. Mattock
Russell Coker
2009-03-14 22:52:48 UTC
Permalink
Post by Justin Mattock
I would just use selinux=0 enforcing=0
as a boot param(but If the system doesn't boot
because of selinux=0) then enforcing=0 as a boot.
I am not aware of any situation where "selinux=0" will make a machine fail to
boot.

Anyway the request was for a way to "temporarily disable SELinux", in that
case "selinux=0" is a bad idea as that will result in files without labels.
So "enforcing=0" is a much better option.
Post by Justin Mattock
but then you still might receive a permissions denied
due to /etc/selinux/config saying "enforcing"
If there is a program that uses /etc/selinux/config without regard
to /selinux/whatever then it's probably buggy. Please file a bug report if
you discover such a program.
Post by Justin Mattock
(if this is the case then load a livecd mount the hard drive,
and use vim to edit /etc/selinux/config, and /boot/grub/* to
set everything in permissive.
That's really not necessary.
--
russell-***@public.gmane.org
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
Justin Mattock
2009-03-14 23:57:54 UTC
Permalink
Post by Russell Coker
Post by Justin Mattock
I would just use selinux=0 enforcing=0
as a boot param(but If the system doesn't boot
because of selinux=0) then enforcing=0 as a boot.
I am not aware of any situation where "selinux=0" will make a machine fail to
boot.
I've noticed this a while back as to where selinux=0
gave me an unable to mount root error(I'll have to see if this
still happens). It might also be caused by having selinux=0
enforcing=0 as a boot param and having
/etc/selinux/config(set in enforcing mode)
but I'll have to look and see when I get a chance.
Post by Russell Coker
Anyway the request was for a way to "temporarily disable SELinux", in that
case "selinux=0" is a bad idea as that will result in files without labels.
So "enforcing=0" is a much better option.
agree
Post by Russell Coker
Post by Justin Mattock
but then you still might receive a permissions denied
due to /etc/selinux/config saying "enforcing"
If there is a program that uses /etc/selinux/config without regard
to /selinux/whatever then it's probably buggy.  Please file a bug report if
you discover such a program.
I meant the option in /etc/selinux/config
SELINUX=enforcing and/or permissive
Post by Russell Coker
Post by Justin Mattock
(if this is the case then load a livecd mount the hard drive,
and use vim to edit /etc/selinux/config, and /boot/grub/* to
set everything in permissive.
That's really not necessary.
no its not, but sometimes I found myself in a situation
as to using this approach helps out(that is depending how or what I
did to the system to make it unbootable).
Post by Russell Coker
--
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog
regards;
--
Justin P. Mattock
Russell Coker
2009-03-14 00:34:03 UTC
Permalink
Post by Paul Cocker
Running SELinux on a CentOS 5.2 box, Im trying to temporarily disable
1. sudo echo 0 > /selinux/enforce
Redirecting standard output is done by your shell. So "sudo echo > file" will
not work unless "echo > file" works. This is not a SE Linux issue.

"sudo setenforce 0" will work.
Post by Paul Cocker
2. sudo vim /selinux/enforce
The first comes back with
-bash: /selinux/enforce: Permission denied
Note that the error is from "bash".
Post by Paul Cocker
The second comes back with
Could not set security context for /home/paulc/enforcz~
Editors such as "vim" are not designed to just write data to a file. In
the /root directory of my SE Linux Play Machine I have a file named
thanks.txt_append_only_dont_edit_with_vi - many people try editing it with vi
and find that it doesn't work.

Generally don't even try using vi to edit "files" under /proc, /sys, or any
other filesystem that is used for kernel communications.
--
russell-***@public.gmane.org
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
Paul Cocker
2009-03-17 17:06:45 UTC
Permalink
-----Original Message-----
Sent: 14 March 2009 00:34
To: Paul Cocker
Subject: Re: Unable to disable SELinux
Post by Paul Cocker
Running SELinux on a CentOS 5.2 box, Im trying to
temporarily disable
Post by Paul Cocker
1. sudo echo 0 > /selinux/enforce
Redirecting standard output is done by your shell. So "sudo
echo > file" will not work unless "echo > file" works. This
is not a SE Linux issue.
"sudo setenforce 0" will work.
Thanks, this is correct, I used this command and all was well.
Post by Paul Cocker
2. sudo vim /selinux/enforce
The first comes back with
-bash: /selinux/enforce: Permission denied
Note that the error is from "bash".
Post by Paul Cocker
The second comes back with
Could not set security context for /home/paulc/enforcz~
Editors such as "vim" are not designed to just write data to
a file. In the /root directory of my SE Linux Play Machine I
have a file named thanks.txt_append_only_dont_edit_with_vi -
many people try editing it with vi and find that it doesn't work.
Generally don't even try using vi to edit "files" under
/proc, /sys, or any other filesystem that is used for kernel
communications.
--
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
Loading...