Security Enhanced Linux is a Linux security module provided via the Linux kernel. The SELinux can be used to deny, and restrict the different types of access to processes, ports, networks, etc. The SELinux provides mainly access controls. SELinux is generally installed by enterprise-level Linux distributions like Ubuntu, RedHat, and CentOS and is enabled by default. In this tutorial, we examine how to disable or turn off SELinux temporarily and permanently.
Before disabling SELinux we should know the SELinux modes. SELinux provides the following 3 modes where the
Disabled is the mode we want to activate.
- Enforcing mode is the most restrictive mode where every SELinux policy and rule is implemented without exception.
- Permissive mode is used to log denied actions according to rules and policies but does not deny any actions and only logs.
- Disabled is the mode where no policy or rule is executed or logged.
Check SELinux Status
Before disabling the SELinux we can print the current configuration of the SELinux. The
sestatus command simply displayed SELinux status.
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33
getenforce command can be also used to print the current SELinux enforcement status.
Disable SELinux (Temporarily)
setenforce command is used to change the SELinux mode or status. We can use the setenforce command in order to disable SELinux. The setenforce command requires 0 as parameter to disable SELinux. The setenforce command changes SELinux mode temporarily and this configuration is lost if the system is rebooted.
$ setenforce 0
Disable SELinux (Permanently)
The SELinux configuration is stored in
/etc/selinux/config . The configuration file content is like below where the SELINUX line should be set
disabled to disable SELinux. This configuration is permanent and event the system reboots the SELinux stays as disabled.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
In order to make the configuration effective reboot the system with the following command.
$ sudo reboot