cyberpanel.sh installer disables SELinux
entirely for the system, after setting it to permissive
settings.
I am not an expert, but I have to wonder, if you guys are setting SEL to ‘permissive’, why not just leave it enabled?
Disabling it causes security problems and makes it that much more impossible to uninstall CyberPanel.
I’ve been making an uninstall script, and while talking to Gemini to investigate what the installer does to the system, I managed to brick my VPS. I can no longer SSH into it.
The reason it stops accepting SSH connections is that my uninstaller undoes the ‘permissive’ setting for SEL, but when it does that, it causes the kernel and the SEL settings to conflict with one another, which makes the machine unreachable.
Can you guys maybe not disable SELinux? It’s a pretty important piece of security software to have running on a Linux machine. I mean, the US government made it and open-sourced it, and the Linux kernel added it to the kernel repo for a reason. It’s like, REALLY freaking important to keep it enabled.
[root@vmi2662026 local]# grep "denied" /var/log/audit/audit.log
the command yields a typical output of something like this:
type=AVC msg=audit(1751202884.643:1616): avc: denied { transition } for pid=7395 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=51t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
type=AVC msg=audit(1751202884.733:1622): avc: denied { dyntransition } for pid=7399 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unctclass=process permissive=0
where permissive=0
indicates the SELinux setting (enforced/not permissive) that conflicts with the state of SELinux (disabled).
Why not to ever disable SEL:
Setting SELinux to “permissive” mode would likely have been sufficient to prevent it from blocking the installer’s operations while still allowing it to log potential issues. The script currently uses
setenforce 0
to immediately put SELinux into permissive mode, and then modifies the configuration file toSELINUX=permissive
. Disabling it entirely (settingSELINUX=disabled
) would prevent it from logging anything and effectively turn off its security features.