Introduction
SELinux is a mandatory access control (MAC) enforcer built into the Linux kernel. It limits the privileges of individual services whose vulnerabilities might threaten the system.
Applications that do not comply with SELinux policies may encounter issues during installation or regular operations. As a last resort to troubleshoot or accommodate specific software requirements, you can consider temporarily disabling SELinux.
Find out how to disable SELinux on CentOS and Rocky Linux.
Prerequisites
- An RHEL-based system, like CentOS or Rocky Linux.
- Access to a terminal/command line.
- Access to a user account with sudo privileges.
- A text editor.
Steps for Disabling SELinux on CentOS and Rocky Linux
Linux systems without SELinux rely on the configuration of all its privileged software applications for security. A single misconfiguration may compromise the entire system. Proceed with caution.
Step 1: Check SELinux Status
The SELinux service is enabled by default on most RHEL-based systems. To check the status of SELinux, enter the following command:
sestatus
The example output indicates that SELinux is enabled. The status shows the service is in the enforcing mode.
SELinux may prevent the normal functioning of applications. The service denies access if:
- A file is mislabeled.
- An incompatible application attempts to access restricted files.
- A service is running under the incorrect security policy.
- The system detects an intrusion.
If services are not running correctly, check the SELinux log files. SELinux generates Access Vector Cache (AVC) messages if it needs to deny or audit an operation. AVC messages are logged in the /var/log/audit/audit.log file and labeled as type=AVC
.
Note: If no audit logs are available, check the /var/log/messages file, which is used when the auditd daemon is not running.
Step 2: Disable SELinux
You can disable SELinux temporarily, which is recommended for troubleshooting, or permanently, which is discouraged unless absolutely necessary.
Option 1: Disable SELinux Temporarily
Use the following command to disable SELinux temporarily:
sudo setenforce 0
Alternatively, you can use the permissive
keyword instead of 0
:
sudo setenforce permissive
The command does not provide an immediate output. Check the SELinux status to confirm the current mode:
sestatus
SELinux is now in permissive mode, meaning that the service is active, audits all actions, and logs AVC messages. However, it does not enforce security policies.
The change is active until the next reboot when SELinux returns to its default mode.
Option 2: Disable SELinux Permanently
Warning: Switching to permissive mode is the preferred approach. Permanently disabling SELinux poses a risk to system security and is generally discouraged.
To disable SELinux permanently:
1. Open the /etc/sysconfig/selinux file using a text editor, for example, Nano:
sudo nano /etc/sysconfig/selinux
2. Locate the SELINUX=enforcing directive in the file and change it to SELINUX=disabled.
3. If using Nano, press Ctrl+X, Y, and then Enter to save the changes and exit the file.
4. For the change to take effect, reboot the system:
sudo shutdown -r now
5. After the reboot, check the service status to confirm SELinux is disabled:
sestatus
The output confirms the SELinux service is disabled. From now on, the system will not load any SELinux policies or log AVC messages.
Conclusion
This guide showed how to check the SELinux status and disable the service on CentOS and Rocky Linux.
Security tools like SELinux or AppArmor are essential for enforcing strict security policies and conducting audits. They are a key component of best practices for managed server hosting.