SELinux – Why I need it and why is it still on??

If you know CentOS or Redhat you probably familiar with SELinux.
For me the history with SELinux is simple – I know about it – I always disable it – and that’s it.
As probably most of you know there is abundant of explanations on the web on how to disable/enable/configure the selinux – So I won’t hassle you with the information.

However I would like to share a fun story about one of the engineers that tried to disable the feature to activate something and was wondering why the selinux keep starting up when he reboot the server.

In my environments for the past few years I disable the selinux via the pxe+kickstart installation or ansible, but now some of our engineers started sprouting their own centos servers in AWS for testing – and they started having several issues with configuration, due to the fact that I’m over occupied with work I can’t provide the installation and configuration of these servers so the engineers asked my help several times and then just created a small document on how to migrate the AWS CentOS server to be what they used to.

Here is the configuration they sent:

# Connect to the Machine
ssh -i {KEY} centos@{SERVER}
# Enable root login (This is not smart security wise)
sudo su
sed -i.bak "s/#PermitRootLogin/PermitRootLogin/g" /etc/ssh/sshd_config
systemctl restart sshd
mv ~/.ssh/authorized_keys{,.org}
cp  ~centos/.ssh/authorized_keys ~/.ssh/
sed -i.bak 's/^SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux

As all the information on the web say “Edit /etc/sysconfig/selinux” and reboot right?
So apparently the line disabling selinux didn’t work – to our befuddlement nothing we did  solved the issue.

So after reading some blogs (no I can’t find the blog with the info) I’ve learned something new! The file /etc/sysconfig/selinux isn’t the configuration file but only a symlink to the actual configuration file which reside in: /etc/selinux/config .

So the actual line should be:

sed -i.bak 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config

This simple but anoying bug took me the best part of 10 minutes…
Well sometimes you have to set normal automation.
The first time I have I will create an ansible script for them to run – Will be much easier no?

2 thoughts on “SELinux – Why I need it and why is it still on??”

  1. I guess this organization doesn’t have any security reviews? Otherwise, how would anyone be allowed to disable an essential security feature under any circumstance other than testing.

    1. Well this is a very delicate stuff.
      Regarding internal devices yes I see (most of the time) no benefit running this security measure just like I don’t use iptables for any internal not front facing server.
      Yes SELinux is very good and can proved good benefits when you have tight closed environment or front facing server but not in a lot of situations.
      Regarding security review. In all the security tests I have ever conducted (inside and out) not even one security specialist ask about that or alerted me that it is down on my servers.
      One more though – SELinux is enabled by default in RedHat type OSs but I never seen it enabled by default on any of my Debian ones – I wonder why is that (As I understand all Debian related releases support it fully).

      And just for fun:

      (note – I do want to learn SELinux more in depth to make sure I use it fully – and I’m currently working on that)

Leave a Reply

Your email address will not be published. Required fields are marked *