Reply
Highlighted
New Contributor
Posts: 1
Registered: ‎10-04-2017
Accepted Solution

Why I do need to turn off SElinux?

Hello all,

I am planning install Cloudera Manager and I have received a questioning from security sector about SElinux, because in my demand I've asked to disable SElinux based on installation issues I just want to know why I do need to turn off/disable SElinux?

In my understanding its architecture strives to separate enforcement of security decisions from the security policy itself, and streamlines the amount of software involved with security policy enforcement. If SElinux is a part of kernel and a security implementation, maybe, could cause security breach disable it? Besides to know why, I'd like to know if has a form to keep SElinux and install Cloudera.

I am thankful for helping me with these philosophical questions.

Posts: 508
Topics: 14
Kudos: 85
Solutions: 45
Registered: ‎09-02-2016

Re: Why I do need to turn off SElinux?

@wchagas

 

One common reason to disable the firewall is, as we know HDFS maintains replication in different nodes/racks but it shouldn't take any extra time for that. Setting firewall using SElinux may disturb this (or) lead to performance issue. So the general recommendation is to disable the firewall. But I believe in some cases users are still using hadoop with firewall for security reasons (if the business really demands).

 

Regarding your question about security, you can follow the other recommended securities like kerberos, sentry, etc (depends upon your needs).

Posts: 642
Topics: 3
Kudos: 113
Solutions: 67
Registered: ‎08-16-2016

Re: Why I do need to turn off SElinux?

It is an issue with the installation. I don't know precisely what is the issue though. You can disable it, or set it to permissive, complete the installation, and then revert it back. I have always just kept it off, but presumably, you would need to repeat this for each upgrade.
New Contributor
Posts: 1
Registered: ‎07-03-2018

Re: Why I do need to turn off SElinux?

Well we need to disable SELinux just while installing Cloudera after that you can tell your security team to enable it again, Your CM will run smoothely.

Expert Contributor
Posts: 67
Registered: ‎09-14-2017

Re: Why I do need to turn off SElinux?

During install if SElinux is enabled then apparently the hadoop directories created in /var/lib like hbase, hive, impala, sqoop, zookeeper etc. seem to have all the permissions set as 000 instead of 755 and also owned by root instead of the service accounts. This causes these roles unable to startup. Ended up having to chmod 755 and chown all these 15 or so directories after which the install completed sucessfully.

Announcements