Enhanced Security Linux or SELinux is a security mechanism built into the Linux kernel used by RHEL based distributions.
SELinux adds an extra layer of security to the system by allowing administrators and users to control access to objects based on policy rules.
SELinux policy rules define how processes and users interact with each other, as well as how processes and users interact with files. When there is no rule explicitly allowing access to an object, such as a process opening a file, access is denied.
SELinux has three modes of operation:
- Application: SELinux allows access based on SELinux policy rules.
- Permissive: SELinux only logs actions that would be prohibited if they were enforced. This mode is useful for debugging and creating new policy rules.
- Disabled: SELinux policy is not loaded and no messages are logged.
By default on CentOS 8 SELinux is enabled and in forced mode. It is highly recommended to keep SELinux enforced. However, sometimes it can interfere with the operation of an application, and you need to set it to permissive mode or disable it completely.
In this article, we will explain how to disable SELinux on CentOS 8.
Only the root user or a user with sudo privileges can change SELinux mode.
SELinux mode check
Use the sestatus command to check the status and mode in which SELinux is running:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
The output above shows SELinux is enabled and set to enforcing mode.
Changing SELinux Mode to Permissive
When SELinux is enabled, it can be in forced or enabled mode. You can temporarily change the mode from target to permissive with the following command:
sudo setenforce 0
However, this change is only valid for the current runtime session and does not persist across reboots.
To permanently set SELinux mode to permissive, follow these steps:
- Open the file / etc / selinux / config and set SELINUX to permissive: / etc / selinux / config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
- Save the file and run the setenforce 0 command to change the SELinux mode for the current session:
sudo shutdown -r now
Instead of disabling SELinux, it is highly recommended to change the mode to permissive. Disable SELinux only when required for your application to function properly.
Follow these steps to permanently disable SELinux on your CentOS 8 system:
- Open the / etc / selinux / config file and change the SELINUX value to disabled: / etc / selinux / config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
- Save the file and reboot the system:
sudo shutdown -r now
- When the system boots, use the sestatus command to make sure SELinux is disabled:
The output should look like this:
SELinux status: disabled
SELinux is a system security mechanism by implementing Mandatory Access Control (MAC). SELinux is enabled by default on CentOS 8 systems, but it can be disabled by editing the config file and rebooting the system.
If you have any questions or requests, please leave a comment below.