Disable SELinux In Centos7/CentOS8

Disable SELinux In Centos7/CentOS8

by

RHEL and CentOS operating systems provide the SELinux security feature by default. The SELinux is enabled by default but in some cases, we may need to disable SELinux. This tutorial explains how to disable CentOS7, CentOS8, and RHEL SELinux.

SELinux Modes

Before disabling SELinux for CentOS we should know the SELinux modes. SELinux provides the following 3 modes where the Disabled is the mode we want to activate.

  • Enforcing mode is the most restrictive mode where every SELinux policy and rule is implemented without exception.
  • Permissive mode is used to log denied actions according to rules and policies but does not deny any actions and only logs.
  • Disabled is the mode where no policy or rule is executed or logged.

Check SELinux Status In CentOS

Before disabling the SELinux for CentOS we can print the current configuration of the SELinux. The sestatus command simply displayed SELinux status. The sestatus command provides a lot of details about the SELinux status like status, mount point, root directory, current mode, policy MLS status, memory protection checking, and max kernel policy version.

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
SELinux Status

Alternatively, the getenforce command can be also used to print the current SELinux enforcement status for the CentOS and RHEL.

$ getenforce

Disable SELinux In CentOS (Temporarily)

The setenforce command is used to change the SELinux mode or status in CentOS. We can use the setenforce command in order to disable SELinux. The setenforce command requires 0 as parameter to disable SELinux. The setenforce command changes SELinux mode temporarily and this configuration is lost if the system is rebooted.

$ setenforce 0

Disable SELinux In CentOS (Permanently)

The SELinux configuration is stored in /etc/selinux/config . The configuration file content is like below where the SELINUX line should be set disabled to disable SELinux. This configuration is permanent and event the system reboots the SELinux stays as disabled.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
Disable SELinux (Permanently)

In order to make the configuration effective reboot the system with the following command.

$ sudo reboot

Leave a Comment