Support Questions

Find answers, ask questions, and share your expertise

Why I do need to turn off SElinux?

avatar
New Contributor

Hello all,

I am planning install Cloudera Manager and I have received a questioning from security sector about SElinux, because in my demand I've asked to disable SElinux based on installation issues I just want to know why I do need to turn off/disable SElinux?

In my understanding its architecture strives to separate enforcement of security decisions from the security policy itself, and streamlines the amount of software involved with security policy enforcement. If SElinux is a part of kernel and a security implementation, maybe, could cause security breach disable it? Besides to know why, I'd like to know if has a form to keep SElinux and install Cloudera.

I am thankful for helping me with these philosophical questions.

1 ACCEPTED SOLUTION

avatar
Champion

@wchagas

 

One common reason to disable the firewall is, as we know HDFS maintains replication in different nodes/racks but it shouldn't take any extra time for that. Setting firewall using SElinux may disturb this (or) lead to performance issue. So the general recommendation is to disable the firewall. But I believe in some cases users are still using hadoop with firewall for security reasons (if the business really demands).

 

Regarding your question about security, you can follow the other recommended securities like kerberos, sentry, etc (depends upon your needs).

View solution in original post

4 REPLIES 4

avatar
Champion

@wchagas

 

One common reason to disable the firewall is, as we know HDFS maintains replication in different nodes/racks but it shouldn't take any extra time for that. Setting firewall using SElinux may disturb this (or) lead to performance issue. So the general recommendation is to disable the firewall. But I believe in some cases users are still using hadoop with firewall for security reasons (if the business really demands).

 

Regarding your question about security, you can follow the other recommended securities like kerberos, sentry, etc (depends upon your needs).

avatar
Champion
It is an issue with the installation. I don't know precisely what is the issue though. You can disable it, or set it to permissive, complete the installation, and then revert it back. I have always just kept it off, but presumably, you would need to repeat this for each upgrade.

avatar
Expert Contributor

During install if SElinux is enabled then apparently the hadoop directories created in /var/lib like hbase, hive, impala, sqoop, zookeeper etc. seem to have all the permissions set as 000 instead of 755 and also owned by root instead of the service accounts. This causes these roles unable to startup. Ended up having to chmod 755 and chown all these 15 or so directories after which the install completed sucessfully.

avatar
Explorer

Well we need to disable SELinux just while installing Cloudera after that you can tell your security team to enable it again, Your CM will run smoothely.