How to Disable SELinux on CentOS and Rocky Linux

November 27, 2024

Introduction

SELinux is a mandatory access control (MAC) enforcer built into the Linux kernel. It limits the privileges of individual services whose vulnerabilities might threaten the system.

Applications that do not comply with SELinux policies may encounter issues during installation or regular operations. As a last resort to troubleshoot or accommodate specific software requirements, you can consider temporarily disabling SELinux.

Find out how to disable SELinux on CentOS and Rocky Linux.

Disable SELinux on CentOS and Rocky Linux.

Prerequisites

Steps for Disabling SELinux on CentOS and Rocky Linux

Linux systems without SELinux rely on the configuration of all its privileged software applications for security. A single misconfiguration may compromise the entire system. Proceed with caution.

Step 1: Check SELinux Status

The SELinux service is enabled by default on most RHEL-based systems. To check the status of SELinux, enter the following command:

sestatus

The example output indicates that SELinux is enabled. The status shows the service is in the enforcing mode.

Active status of SELinux in CentOS and Rocky Linux.

SELinux may prevent the normal functioning of applications. The service denies access if:

  • A file is mislabeled.
  • An incompatible application attempts to access restricted files.
  • A service is running under the incorrect security policy.
  • The system detects an intrusion.

If services are not running correctly, check the SELinux log files. SELinux generates Access Vector Cache (AVC) messages if it needs to deny or audit an operation. AVC messages are logged in the /var/log/audit/audit.log file and labeled as type=AVC.

Note: If no audit logs are available, check the /var/log/messages file, which is used when the auditd daemon is not running.

Step 2: Disable SELinux

You can disable SELinux temporarily, which is recommended for troubleshooting, or permanently, which is discouraged unless absolutely necessary.

Option 1: Disable SELinux Temporarily

Use the following command to disable SELinux temporarily:

sudo setenforce 0

Alternatively, you can use the permissive keyword instead of 0:

sudo setenforce permissive

The command does not provide an immediate output. Check the SELinux status to confirm the current mode:

sestatus
SELinux in CentOS and Rocky Linux set to permissive mode.

SELinux is now in permissive mode, meaning that the service is active, audits all actions, and logs AVC messages. However, it does not enforce security policies.

The change is active until the next reboot when SELinux returns to its default mode.

Option 2: Disable SELinux Permanently

Warning: Switching to permissive mode is the preferred approach. Permanently disabling SELinux poses a risk to system security and is generally discouraged.

To disable SELinux permanently:

1. Open the /etc/sysconfig/selinux file using a text editor, for example, Nano:

sudo nano /etc/sysconfig/selinux

2. Locate the SELINUX=enforcing directive in the file and change it to SELINUX=disabled.

Changing the SELinux mode in the /etc/sysconfig/selinux file in CentOS and Rocky.

3. If using Nano, press Ctrl+X, Y, and then Enter to save the changes and exit the file.

4. For the change to take effect, reboot the system:

sudo shutdown -r now

5. After the reboot, check the service status to confirm SELinux is disabled:

sestatus
SELinux is permanently disabled on CentOS and Rocky.

The output confirms the SELinux service is disabled. From now on, the system will not load any SELinux policies or log AVC messages.

Conclusion

This guide showed how to check the SELinux status and disable the service on CentOS and Rocky Linux.

Security tools like SELinux or AppArmor are essential for enforcing strict security policies and conducting audits. They are a key component of best practices for managed server hosting.

Was this article helpful?
YesNo
Vladimir Kaplarevic
Vladimir is a resident Tech Writer at phoenixNAP. He has more than 7 years of experience in implementing e-commerce and online payment solutions with various global IT services providers. His articles aim to instill a passion for innovative technologies in others by providing practical advice and using an engaging writing style.
Next you should read
Security
Linux Security Stats, Tools, and Best Practices
March 16, 2023
Maximize your data security with our comprehensive list of 40 Linux security tips and best practices. Despite the inherent security advantages of Linux, remember that no operating system is foolproof.
Read more
Networking Security
How to Check DDoS Attack on Linux Server
March 15, 2023
Server owners rarely anticipate DDoS-related threats. Learn to check your Linux server for DDoS attacks, identify active threats, and perform quick mitigation actions.
Read more
Security SysAdmin
How to Disable and Stop firewalld on CentOS or Rocky Linux
November 13, 2024
firewalld is the default firewall tool on CentOS and Rocky Linux servers. This tutorial shows you how to disable and stop the firewalld service.
Read more
SysAdmin
Rocky Linux vs. CentOS: How Do They Differ?
December 8, 2022
This comparison article delves into the topic of how Rocky Linux differs from CentOS and whether it is a viable option to fill the gap left by CentOS.
Read more