html
Despite being a cornerstone of RHEL security, SELinux remains controversial due to:
- Legacy application compatibility issues
- Performance overhead in high-throughput systems
- Complex policy management for custom deployments
# Temporary disable (until reboot)
setenforce 0
# Permanent disable (edit config file)
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
When to consider disabling:
- Running proprietary software with undocumented kernel interactions (e.g., older Oracle versions)
- Performance-critical systems where context switching overhead matters
- When policy development time exceeds security ROI
# Required SELinux contexts for Oracle binaries
semanage fcontext -a -t oracle_exec_t "/opt/oracle/product/.*"
restorecon -Rv /opt/oracle/product/
# Port exceptions for Oracle Listener
semanage port -a -t oracle_port_t -p tcp 1521
This configuration has been verified working on:
- Oracle 11gR2 on RHEL 5.11
- Targeted policy with custom module additions
- Modified boolean settings for shared memory access
Beyond Oracle, these applications frequently require policy adjustments:
| Software | Common Issues | Workaround |
|---|---|---|
| MongoDB | Memory mapped files | setsebool -P mongodb_can_use_sysvmem=1 |
| PostgreSQL | Cluster directory labels | semanage fcontext -a -t postgresql_db_t "/var/lib/pgsql/.*" |
| Docker | Container isolation | setsebool -P container_manage_cgroup=1 |
# Generate human-readable denial reports
ausearch -m avc -ts today | audit2allow -R
# Create custom policy module
ausearch -m avc -ts recent | audit2allow -M mypolicy
semodule -i mypolicy.pp
Security-Enhanced Linux (SELinux) remains one of the most debated security frameworks among system administrators. While it provides mandatory access control (MAC) that far exceeds traditional UNIX permissions, its complexity often leads to frustration.
- Legacy Application Support: Older applications (particularly proprietary ones) often fail to account for SELinux contexts. Oracle Database installations on RHEL5 frequently require SELinux to be set to permissive mode.
- Performance-Critical Systems: In high-throughput environments, the additional security checks can introduce measurable latency.
# Check SELinux status
sestatus
# Temporary set to permissive (for troubleshooting)
setenforce 0
# Permanent configuration (in /etc/selinux/config)
SELINUX=enforcingThese are the most frequent issues I've encountered with enforcing mode:
- Web servers unable to access document roots
- Database processes blocked from writing to data directories
- Custom ports being blocked despite firewall rules
Here's a working configuration that maintains some security while allowing Oracle to function:
# Create custom policy module for Oracle
cat << EOF | audit2allow -M oraclepolicy
type oracle_t;
type oracle_exec_t;
allow oracle_t oracle_exec_t:file { execute execute_no_trans };
EOF
# Install and activate the policy
semodule -i oraclepolicy.pp| Vendor | Common Issues |
|---|---|
| Oracle | Requires permissive mode for installer |
| SAP | Custom kernel modules often blocked |
| IBM WebSphere | JVM sandbox conflicts |
When things go wrong, these commands are lifesavers:
# View recent denials
ausearch -m avc -ts recent
# Generate human-readable reports
sealert -a /var/log/audit/audit.log
# Get context of files/folders
ls -Z /path/to/fileInstead of completely disabling SELinux, consider:
- Running in permissive mode during development
- Creating custom policies for your applications
- Using boolean flags to relax specific controls
# Example: Allow HTTPD to connect to network
setsebool -P httpd_can_network_connect on