SELinux won’t disable on CentOS 6

The problem:

Setting SELINUX to disabled in /etc/sysconfig/selinx does not work.   SELinux continues to run in Enforcing mode event after a reboot.

The cause:

/etc/sysconfig/selinx should be a symbolic link to /etc/selinux/config but it sometimes gets created as a file.  This means you can edit it to your heart’s content and it won’t change a thing.

The solution:

Option 1:

Edit both /etc/sysconfig/selinux and /etc/selinux/config.

Option 2:

Fix the issue by making /etc/sysconfig/selinux a symbolic link again.




Configuring SELinux to allow the sharing of a directory by Samba

Tested on RHEL6/CentOS6.

As root:

# mkdir /data
# ls -dZ /data
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data
# semanage fcontext -a -t samba_share_t ‘/data(/.*)?’
# restorecon -R /data
# ls -dZ /data
drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /data

You may also want to run the following:
setsebool -P samba_export_all_rw 1

Getting Corosync networking to work with SELinux

The Following are the steps necessary to get Corosync UPD networking to work with SELinux enabled.

Update: If you use port numbers 5404 and 5405, you will not need to perform any of the steps listed below.  These are the ports used by RedHat’s Cluster Suite and are configured in the latest selinux-policy packages (as of 2013/05/23) to allow heartbeat and corosync to bind to them.

The Setup:

  • CentOS 6.3
  • SElinux is enabled
  • Corosync is configured to use UDP port 5000

1. Install the semanage tool.

yum install policycoreutils-python

2. Determine the ports to allow.

Corosync uses two UPD ports, one for sending and a second for receiving.  In the corosync.conf file you only specify one of the two.  The second port is the specified port -1.  So if you’re using port 5000, the second port is 4999.

3. Add the two ports to the netsupport_port_t SELinux type.

semanage port -a -t netsupport_port_t -p udp 4999
semanage port -a -t netsupport_port_t -p udp 5000

4. Restart corosync

Even though we updated SELinux, a running corosync process is still running under the old rules.  Restarting corosync will create a new corosync process running with the updated SELinux rules.


Edit 2012.7.20 Fixed port numbers.



Allowing KVM/QEMU to use NFS on RHEL6

1. Check the status of the virt_use_nfs boolean in SELinux.
getsebool virt_use_nfs

2. Temporarily turn on the boolean.
setsebool virt_use_nfs on

3. Check the status of the virt_use_nfs boolean in SELinux.
getsebool virt_use_nfs

4. If you want to make the change persistant, then add the -P option to setsebool.
setsebool -P virt_use_nfs on