Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Why I do need to turn off SElinux?

Solved Go to solution

Why I do need to turn off SElinux?

New Contributor

Hello all,

I am planning install Cloudera Manager and I have received a questioning from security sector about SElinux, because in my demand I've asked to disable SElinux based on installation issues I just want to know why I do need to turn off/disable SElinux?

In my understanding its architecture strives to separate enforcement of security decisions from the security policy itself, and streamlines the amount of software involved with security policy enforcement. If SElinux is a part of kernel and a security implementation, maybe, could cause security breach disable it? Besides to know why, I'd like to know if has a form to keep SElinux and install Cloudera.

I am thankful for helping me with these philosophical questions.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Why I do need to turn off SElinux?

Champion

@wchagas

 

One common reason to disable the firewall is, as we know HDFS maintains replication in different nodes/racks but it shouldn't take any extra time for that. Setting firewall using SElinux may disturb this (or) lead to performance issue. So the general recommendation is to disable the firewall. But I believe in some cases users are still using hadoop with firewall for security reasons (if the business really demands).

 

Regarding your question about security, you can follow the other recommended securities like kerberos, sentry, etc (depends upon your needs).

4 REPLIES 4

Re: Why I do need to turn off SElinux?

Champion

@wchagas

 

One common reason to disable the firewall is, as we know HDFS maintains replication in different nodes/racks but it shouldn't take any extra time for that. Setting firewall using SElinux may disturb this (or) lead to performance issue. So the general recommendation is to disable the firewall. But I believe in some cases users are still using hadoop with firewall for security reasons (if the business really demands).

 

Regarding your question about security, you can follow the other recommended securities like kerberos, sentry, etc (depends upon your needs).

Re: Why I do need to turn off SElinux?

Champion
It is an issue with the installation. I don't know precisely what is the issue though. You can disable it, or set it to permissive, complete the installation, and then revert it back. I have always just kept it off, but presumably, you would need to repeat this for each upgrade.

Re: Why I do need to turn off SElinux?

Expert Contributor

During install if SElinux is enabled then apparently the hadoop directories created in /var/lib like hbase, hive, impala, sqoop, zookeeper etc. seem to have all the permissions set as 000 instead of 755 and also owned by root instead of the service accounts. This causes these roles unable to startup. Ended up having to chmod 755 and chown all these 15 or so directories after which the install completed sucessfully.

Re: Why I do need to turn off SElinux?

New Contributor

Well we need to disable SELinux just while installing Cloudera after that you can tell your security team to enable it again, Your CM will run smoothely.

Don't have an account?
Coming from Hortonworks? Activate your account here