How To Disable SELinux?

SELinux or Security Enhanced Linux is a Linux security module provided via the Linux kernel. The SELinux can be used to deny, and restrict the different types of access to processes, ports, networks, etc. The SELinux provides mainly access controls. SELinux is generally installed by enterprise-level Linux distributions like Ubuntu, RedHat, and CentOS and is enabled by default. In this tutorial, we examine how to disable or turn off SELinux temporarily and permanently.

SELinux Modes

Before disabling SELinux we should know the SELinux modes. SELinux provides the following 3 modes where the Disabled is the mode we want to activate.

  • Enforcing mode is the most restrictive mode where every SELinux policy and rule is implemented without exception.
  • Permissive mode is used to log denied actions according to rules and policies but does not deny any actions and only logs.
  • Disabled is the mode where no policy or rule is executed or logged.

Check SELinux Status

Before disabling the SELinux we can print the current configuration of the SELinux. The sestatus command simply displayed SELinux status.

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
SELinux Status

Alternatively, the getenforce command can be also used to print the current SELinux enforcement status.

$ getenforce

Disable SELinux (Temporarily)

The setenforce command is used to change the SELinux mode or status. We can use the setenforce command in order to disable SELinux. The setenforce command requires 0 as parameter to disable SELinux. The setenforce command changes SELinux mode temporarily and this configuration is lost if the system is rebooted.

$ setenforce 0

Disable SELinux (Permanently)

The SELinux configuration is stored in /etc/selinux/config . The configuration file content is like below where the SELINUX line should be set disabled to disable SELinux. This configuration is permanent and event the system reboots the SELinux stays as disabled.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
Disable SELinux (Permanently)

In order to make the configuration effective reboot the system with the following command.

$ sudo reboot

Leave a Comment