cancel
Showing results for 
Search instead for 
Did you mean: 
  • 1,430 Views

RHCSA SELinux Question

Hello,

I am currently studying for the RHCSA and would like some clarification on changing the default mode of SELinux to disabled

According to reading and the text in /etc/selinux/config. In RHEL 9, to fully disable SELinux, one must set selinx equal to zero in /etc/default/grub. 

Setting SELINUX=disabled in /etc/selinux/config appears to disable it completely though. 

sestatus -v

SELinux status: disabled. 

/etc/selinux/config reads to fully disable instead of SELinux running with no policy loaded you need to pass selinux=0 to the kernel comman line. This does not appear to be a completely accurate statement since setting /etc/selinux/config works successfully.

I have always used the selinux config change instead of updating grub when I needed selinux disabled on a system.   

A bit nit picky I guess but wanted to know for sure. 

Thanks in advance.

 

Labels (2)
3 Replies
Trevor
Starfighter Starfighter
Starfighter
  • 1,396 Views

HackerMuscle -

Great question!  No such thing as being nitpicky - by the way, it's one word, not two :-).  You requested some clarification, and this is the neighborhood to come and get that clarification!!!

You can "fully" disable SELinux using either method:

1) selinux=0   added to the /etc/default/grub file 

                     or

2)  SELINUX=disabled    added to the /etc/selinux/config file

Using either method, disables SELiniux, which prevents any policy from
being loaded. As the student guide for the course may have mentionbed, it is the SELinux policy that gives SELinux its muscle - what's allowed vs what's denied.

If you have SELinux=enforcing or SELinux=permissive in your /etc/selinux/config file, and selinux=0 in your /etc/default/grub file, you can restart/reboot your system until there's no more electricity to use, and SELinux will remain DISABLED!!!

If you have SELinux=disabled in your /etc/selinux/config file, and selinux=1 in your /etc/default/grub file, you can restart/reboot your system until dolphins fly and parrots live at sea, and SELinux will remain DISABLED!!!

SELinux disabled, means that no policy will be loaded, because no policy can be loaded!!!

Just to give you a little extra, that doesn't have anything to do with 
answering your question, here's another way of making that adjustment
to your /etc/default/grub file:

To disable SELinux:   

          grubby --update-kernel ALL --args selinux=0 

Back to SELinux enabled:  

          grubby --update-kernel ALL --remove-args selinux

 

In summary, you've got 2 options to use that will enable and disable SELinux.

Thanks for the query.  Keep those questions coming!!!

 

Trevor "Red Hat Evangelist" Chandler
  • 1,379 Views

Understood. Thanks for the thoughtful answer to my question Trevor. 

0 Kudos
Chetan_Tiwary_
Community Manager
Community Manager
  • 1,317 Views

Hello @HackerMuscle !
First of all : Permanently disabling Selinux is NOT recommended - SECURITY ALERT !!

It is recommended to use permissive mode instead of permanently disabling SELinux.

"Disabling Selinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. Because memory leaks and race conditions causing kernel panics can occur, prefer disabling SELinux by adding the selinux=0 parameter to the kernel command line as described in Changing SELinux modes at boot time if your scenario really requires to completely disable SELinux."

Using kernel parameter : selinux=0
This parameter causes the kernel to not load any part of the SELinux infrastructure. The init scripts notice that the system booted with the selinux=0 parameter and touch the /.autorelabel file. This causes the system to automatically relabel the next time you boot with SELinux enabled.

There are 2 prerequisites to change into permissive or enforcing mode : 

1. The selinux-policy-targeted, libselinux-utils, and policycoreutils packages are installed on your system.
2. The selinux=0 or enforcing=0 kernel parameters are not used.

When you are trying to enable SELinux in systems where SELinux is previously disabled : There might be issues such as systems unable to boot or process failures: 

Chetan_Tiwary__0-1696882341375.png

Refer : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/changing...

 

0 Kudos
Join the discussion
You must log in to join this conversation.