Introduction

SELinux is a mandatory access control (MAC) enforcer built into the Linux kernel. It limits the privileges of individual services whose vulnerabilities might be a threat to the system.

CentOS systems without SELinux rely on the configuration of all its privileged software applications. A single misconfiguration may compromise the entire system. By following this how-to guide, you will learn how to disable SELinux on CentOS 7.

Why Disable SELinux?

Not all applications support SELinux; thus it can terminate necessary processes during regular use and installation of software packages. In those cases, it is advised to turn off SELinux.

how to disable selinux on centos7

Prerequisites

  • Access to a user account with sudo privileges
  • Access to a terminal/console
  • An RHEL-based system, such as CentOS 7
  • A text editor, such as nano or vim

Steps for Disabling SELinux on CentOS

Step 1: Check SELinux Status

The SELinux service is enabled by default on CentOS and most other RHEL-based systems. However, this might not be the case for your system.

Start by checking the status of SELinux on your system with the command:

sestatus 

The example output below indicates that SELinux is enabled. The status shows the service is in enforcing mode.

output example of the status of SELinux

SELinux may prevent the normal functioning of applications. The service denies access if:

  • A file is mislabeled
  • An incompatible application attempts to access a forbidden file
  • A service is running under the incorrect security policy
  • An intrusion is detected

If you notice that services are not running normally, check SELinux log files. The logs are in /var/log/audit/audit.log. Most common log messages are labeled with “AVC.” If you can’t find any logs, try looking in /var/log/messages. The system writes logs in that file if the auditd daemon is not running.

Step 2: Disable SELinux

Option 1: Disable SELinux Temporarily

To temporarily disable SELinux, type in the following command in the terminal:

sudo setenforce 0

In sudo setenforce 0 instead of 0 you can use permissive.

This command changes SELinux mode from targeted to permissive.

changing from targeted to permissive mode

In permissive mode, the service is active and audits all actions. However, it does not enforce any security policies. The system logs AVC messages.

The change is only active until the next reboot. To turn off SELinux permanently, refer to the next section of the article.

Option 2: Disable SELinux Permanently

To disable the service permanently, use a text editor (e.g., vim and nano) to edit the /etc/sysconfig/selinux file as instructed below.

1. Open the /etc/sysconfig/selinux file. We will be using vim. If you are unfamiliar with text editors, refer to our instructional guide on how to use vim. Use the following command to open the file:

sudo vi /etc/sysconfig/selinux

2. Edit the SELINUX=enforcing directive. Please change it to SELINUX=disabled.

Editing the SELINUX directive to disable

3. Save the edited file.

Reboot CentOS to Save Changes

For the change to take effect, you need to reboot the system with the command:

sudo shutdown -r now

After you reboot, check the service status to confirm it is disabled with the command:

sestatus

 

Editing the SELINUX directive to disable

The status should be “disabled” as seen in the image above. The system will not load any SELinux policies or write any AVC logs.

Conclusion

By following this article, you should have been able to check SELinux status and disable the service on CentOS 7. Be cautious when permanently disabling the service. In general, the advised option is to switch to permissive mode.

To read more about SELinux, please refer to the official CentOS Wiki.