3 Replies Latest reply: Jan 25, 2011 1:42 PM by avainola RSS

    SELinux, modes and licenses?


      I am not very familiar with Linux myself so apologies if something what I say is wrong, correct information will be appreciated of course. What I wanted to ask, if anyone knows the answer to, is this: SELinux, as I understand, is not a separate op. system but rather a mode in what Linux can be run? So any certification, if it is valid for some Linux version which can be run in SELinux mode makes it a valid for that combination for SELinux as well (unless specified differently and specifically)?

      Also the modes like "disabled", "enabled" and "permissive" were asked, however as I understand these modes are more important for running and managing the system and may require to be turned on or off to receive support or perform updates, but they're not related to licenses as such?
        • 1. Re: SELinux, modes and licenses?
          SELinux is an internal subsystem of the Linux operating system. As such, it has no bearing on an O/S support entitlement.

          However, SELinux is extremely invasive and has its tentacles in many other subsystems within Linux. The various modes (every access must be approved, or "enforcing"; access not permitted by SELinux rules but allowed with a warning, or "permissive"; or not used or "disabled") do have implications for user-space applications and operating system internals.

          For this reason, Oracle products such as the OCFS2 file system are only usable in SELinux "disabled" mode; the "permissive" mode is still too invasive for the current OCFS2 drivers and is not allowed.

          To summarize:
          1 SELinux does not affect O/S-level support.
          2 Most Oracle products require that SELinux be turned off as part of the certified configuration.
          Note: in older systems such as OEL4/RHEL4 the SELinux feature is quite buggy and should never be used at all.
          • 2. Re: SELinux, modes and licenses?
            Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies.


            SELinux is a set of extra security restrictions on top of the normal Linux security tools. It gives the systems administrator a finer grain of control than what the kernel typically provides. It will, for example, prevent a program from accessing a system library, unless the policy, or the administrator allows it. When enabled, it will prevent programs like Oracle to operate. In permissive mode it will log access and mostly like cause unnecessary processing overhead.

            To change SELinux's behavior you can edit the configuration file. On Fedora and RHEL systems that file is located at /etc/selinux/config.

            Edited by: Dude on Jan 24, 2011 1:38 PM
            • 3. Re: SELinux, modes and licenses?

              Thank you both for your replies, this clarified several things to me.