blog/ posts/ 1st thing to do if running a fresh CentOS installation
Manage VirtualBox machines from CLI | posts | Portage exclude hardware specific system setting

Q; What should be the first step if running a fresh installed RHEL or CentOS system?

A: It depends. It depends on the running environment.

The corrected question should be then:

Q: What should be the first step if running a fresh installed RHEL or CentOS system in a network lab environment?

A: To disable AppArmor, SELinux, or look for other per default enabled system security applications.

To display SELinux status use sestatus command:

user % sestatus

SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31

Verify the current system configuration in file /etc/selinux/config

root # grep enforc /etc/selinux/config SELINUX=enaforcing

To change this setting to disabled run this command as root:

root # sed -i 's|=enforcing|=disabled|' /etc/selinux/config

Verify the changed file:

root # grep =disa /etc/selinux/config SELINUX=disabled

Verify the Mode from config file: output has changed to disabled

root # sestatus

SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: disabled Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31

Now use change the setenforce 0 command and verify with sestatus command:

root # setenforce 0
root # sestatus

SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: disabled Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31

The Current mode: has changed permissive. Now reboot the node.

root # reboot

And display the current sestatus again:

root # sestatus SELinux status: disabled

It is a constant pattern that has been observed over the last decade and YES, haha, it has been already there SELinux and CentOS! But there is more of it, check the firewalld

root # firewall-cmd --list-all

============== public (active) target: default icmp-block-inversion: no interfaces: ena3 sources: services: ssh dhcpv6-client https ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

If the firewalld daemon should be stopped and disabled, use the following 2 commands:

root # systemctl stop firewalld
root # systemctl disable firewalld

Firewalld is not enabled by default at this time. Not yet. It might be just a matter of time.

Just to set things into the right perspective: The default setting is correct, there is no discussion about that. But this is what I discover sometimes if dealing with a CentOS/RHEL fresh installed system, when things configured, do not work as expected. And now you also have found out, the correct question for this blog entry should have been:

Q: What should be the first step, if running a fresh installed RHEL or CentOS system in a network lab environment, and you expect all things to run out of the box?

But then, the filename of the blog post would have been incredibly long.