OEL/Linux: Turning off or disabling SELinux

SELinux is a set of extra security restrictions on top of the normal Linux security tools. It gives the systems administrator a finer grain of control than what the kernel typically provides.

But SELINUX can sometimes get in your way. For example, I have had typical services, such as Apache, appear to start up correctly, but remain inaccessible from the outside world because I forgot to allow the apache user rights to open that port or maybe my distro forgot about it. Before you turn off SELinux make sure you know why you are turning it off and the security concerns you might be opening yourself up to.

 

Test if SELinux is running

You can test to see if SELinux is currently enabled with the following command:

Root/#> selinuxenabled && echo enabled || echo disabled

 

Turning off SELinux temporarily

Disabling SELinux temporarily is the easiest way to determine if the problem you are experiencing is related to your SELinux settings. To turn it off, you will need to become the root users on your system and execute the following command:

Root/#> echo 0 > /selinux/enforce

 

This temporarily turns off SELinux until it is either re-enabled or the system is rebooted. To turn it back on you simply execute this command:

Root/#> echo 1 > /selinux/enforce

 

As you can see from these commands what you are doing is setting the file /selinux/enforce to either '1' or '0' to denote 'true' and 'false'.

 

Configuring SELinux to log warnings instead of block

You can also configure SELinux to give you a warning message instead of actually prohibiting the action. This known as permissive mode. To change SELinux's behavior to permissive mode you need to edit the configuration file. On Fedora and RHEL systems that file is located at /etc/selinux/config. You need to change the SELINUX option to permissive like so:

SELINUX=permissive

 

Note that these changes will not take effect until the system is rebooted, which is why the first section comes in handy on a system you either cannot or do not want to reboot right now.

 

Completely turning off SELinux

To completely disable SELinux instead of setting the configuration file to permissive mode you set it to disabled like:

SELINUX=disabled

 

You will need to reboot your system or temporarily set SELinux to non-enforcing mode to create the desired effect like the example above.

OEL - Firewall not disabled on OEL 6 after running chkconfig iptables off and system reboot

To fix the problem you need to disable libvirtd

# chkconfig libvirtd off

# chkconfig libvirt-guests off

# chkconfig ip6tables off

# chkconfig iptables off

# chkconfig --list | egrep 'iptables|ip6tables|libvirt'

ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off

iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off

libvirt-guests 0:off 1:off 2:off 3:off 4:off 5:off 6:off

libvirtd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

 

After a reboot the firewall should be disabled now

[root@grac43 ~]# service iptables status

iptables: Firewall is not running.

 

Solaris/MySQL: "host not allowed to connect" problem

Edit /etc/mysql/my.cnf file and find a line like:

# vi /etc/mysql/my.conf

bind-address = 127.0.0.1

 

Add another line below stating your public address:

bind-address = 192.168.1.1

 

Where 192.168.1.1 corresponds to the IP for which you want to enable remote connections. 127.0.0.1is the original IP for localhost.

After saving, login into mysql:

mysql -u USERNAME -pPASSWORD

 

Where USERNAME and PASSWORD are the MySQL credentials to access MySQL default database.

Take a look at the MySQL users system table:

mysql> select host, user from mysql.user;

+-----------+------------------+

| host      | user             |

+-----------+------------------+

| 127.0.0.1 | root             |

| localhost | debian-sys-maint |

| localhost | root             |

| ubuntu    | root             |

+-----------+------------------+

4 rows in set (0.00 sec)

 

Fix privileges with the following command:

mysql> update mysql.user set host='%' where host='127.0.0.1';

 

Check the users table again:

mysql> select host, user from mysql.user;

+-----------+------------------+

| host      | user             |

+-----------+------------------+

| %         | root             |

| localhost | debian-sys-maint |

| localhost | root             |

| ubuntu    | root             |

+-----------+------------------+

4 rows in set (0.00 sec)

 

Things are fine, % stands for 'any host'.

Now we logout from mysql with Ctrl+D and restart the server:

# service mysql restart

 

Solaris: Zone stuck in shutting_down state

This situation occurs when we execute a zoneadm -z ZONENAME halt command and, after it, the status of Solaris Local Zone doesn't change from Running state to an Installed state and remaining in Shutting_down state.

To solve this problem, try one or more of following commands at Global Zone until the zone state changes to Installed:

# ps -fz ZONENAME

# zoneadm -z ZONENAME unmount -f

# zoneadm -z ZONENAME reboot -- -s

# pkill -9 -z ZONENAME

 

After the first command, kill the listed processes of ps command.

It after these commands the zone stills in shutting_down or down states, a reboot of Global Zone should be necessary.

Linux: Extract single file from a compressed tarball

In Linux, execute the following command:

# tar -zxvf FILE.tar.gz --wildcards --no-anchored SINGLE_FILE_TO_EXTRACT

Where FILE.tar.gz corresponds to compressed tarball file and SINGLE_FILE_TO_EXTRACT is a desired file to extract to original directory inside current directory.

Solaris / Linux: Change a text string inside file without using an editor

This is useful when we need to change string or sentence inside file without editing it with and editor like vi or vim.

Execute the following command script to change the desired string globally, in other words this syntax changes all corresponding strings inside file:

perl -pi -e 's/OLD_STRING/NEW_STRING/g' FILE

 

Example:

perl -pi -e 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config

 

Solaris: Rename Oracle VM guest (LDOM)

This procedure is about renaming an Oracle VM for SPARC guest (LDOM) that means backup and restore.

 

There is no way to rename LDOM without rebooting.

 

Execute the following commands to backup configuration and delete the old LDOM:

 

#ldm list-constraints -x OLD_LDOM_NAME > NEW_LDOM_NAME.xml

#ldm stop OLD_LDOM_NAME

#ldm unbind OLD_LDOM_NAME

#ldm destroy OLD_LDOM_NAME

 

Edit the XML file and locate and change OLD_LDOM_NAME string to NEW_LDOM_NAME string as desired.

 

#vi NEW_LDOM_NAME.xml

 

Execute the following commands to restore configuration and start the new LDOM with same configuration from the old LDOM:

 

#ldm add-domain -i NEW_LDOM_NAME.xml

#ldm bind NEW_LDOM_NAME

#ldm start NEW_LDOM_NAME

 

Where OLD_LDOM_NAME is the LDOM to change its name and NEW_LDOM_NAME is the new name as desired.

 

IMPORTANT: Put NEW_LDOM_NAME.xml file in a safe place to avoid any problem when restoring configuration of LDOM.