Ask Your Question
3

Can I disable SeLinux only for a particular Service ?

asked 2011-11-18 15:03:54 -0600

SoumyaC gravatar image

updated 2011-11-25 22:20:51 -0600

mether gravatar image

Just curious to know If I am facing denials regarding a particular Service, Can I just turn on different modes of SeLinux only for that Service rather than affecting the whole system ?

edit retag flag offensive close merge delete

4 Answers

Sort by ยป oldest newest most voted
1

answered 2011-11-18 17:04:45 -0600

lzap gravatar image

My guess is you can run a service (a process) in unconfined mode. Example:

chcon -t unconfined_exec_t /usr/sbin/httpd

http://docs.redhat.com/docs/en-US/RedHatEnterpriseLinux/6/html/Security-EnhancedLinux/sect-Security-EnhancedLinux-TargetedPolicy-Unconfined_Processes.html

I am not sure if this is what you want, I can only guess it is not much secure to do it in production...

edit flag offensive delete link more

Comments

I wanted to know suppose like my NetworkManager has some issues with SELinux and I just wan't to disable or set the mode to permissive for NetworkManager, can I do it ..rather than playing with the SELinux settingd for the whole system. Keeping the process unconfined can be the solution.

SoumyaC gravatar imageSoumyaC ( 2011-11-19 03:00:51 -0600 )edit

@lzap I just wanted to know this for my home system, not in any production. But thanks, that unconfined trick helped

SoumyaC gravatar imageSoumyaC ( 2011-11-19 07:47:02 -0600 )edit
1

answered 2013-08-07 22:47:20 -0600

Akshay gravatar image

updated 2013-08-07 22:51:41 -0600

There is one thing you can do to fix this

1 set SE Linux on Permissive

2 Monitor SE Linux Logs (/var/log/audit/audit.log) and grep the Network Manager AVC Denials

3 Copy them in a separate file say seerror.txt

4 now use audit2allow to create a policy file

audit2allow -M mypol -i /path to seerror.txt

This will create a policy file mypol.pp

Now load the policy using semodule

semodule -i mypol.pp
edit flag offensive delete link more
2

answered 2013-08-07 06:51:19 -0600

none gravatar image

SELinux have permissive domains, that allows you to put confined application in permissive mode regardless of SELinux enforcing mode.

semanage permissive -l - will list you all security domains (context in which application runs) that are in permissive mode.

semanage permissive -a domain_t - will add this domain to permissive list, eg.: semanage permissive -a httpd_t - will move apache to permissive mode.

edit flag offensive delete link more
0

answered 2011-11-18 23:36:26 -0600

ZenDark gravatar image

Selinux is system enabled and you cannot turn it off for a service. If you are having problems with a service you can put it in permissive mode and look if it's working and if any selinux alert is showing.

sudo getenforce
> Enforcing

Change to permissive until next reboot

sudo setenforce 0
sudo getenforce
> Permissive

Restart your service so that it runs in the new applied mode...

edit flag offensive delete link more

Comments

Actually you can. Check my answer to this question.

none gravatar imagenone ( 2013-08-07 06:48:34 -0600 )edit

Question Tools

2 followers

Stats

Asked: 2011-11-18 15:03:54 -0600

Seen: 1,887 times

Last updated: Aug 07 '13