Table of Contents
In this article, I will take you through Best Ways to disable SELinux temporarily on Linux. SELinux is known as Security Enhanced Linux which is integrated with Linux Kernel for implementation for Access Control Mechanism. There are times when you think you need to disable SELinux to accomplish your tasks as it might be blocking some process and not allowing it run.
You have 2 different ways through which you can disable SELinux in your system. Either you can disable temporarily for the current session or you can permanently disable SELinux by changing into the configuration files.
Modes of SELinux
a)Enforcing: In this mode, SELinux will enforce its policies.
b)Permissive: In this mode, SELinux will show warnings but it won't enforce policies.
c)Disabled: In this mode, SELinux will stand in disable mode.
Security Policy of SELinux
a)Targeted: Only targeted processes will be protected under this policy.
b)Minimum: It will only provide protection to selected processes.
c)MLS: It provides multi layer security protection.
Disable SELinux on RedHat/CentOS 7
Also Read: 7 Easy Steps to change ssh port number on RedHat/CentOS 7
1. Check if SELinux is Enabled or not using sestatus command
You can check selinux status using sestatus
command as shown below. In the below output you can see that SELinux status is showing enabled
and SELinux filesystem is mounted on /sys/fs/selinux
.
Configuration path can be found under /etc/selinux
which is also know as SELinux root directory. Current policy is set to targeted
which is the default policy in CentOS or RedHat Based Systems. You can also see the current mode is set to enforcing
which allows SELinux to enforce its policies.
[root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
2. Check Current SELinux Policy
You can check current SELinux Policy by using getenforce
command as shown below. As you can see from below output, current policy is set to enforcing which means SELinux Policy is getting enforced to System Resources.
[root@localhost ~]# getenforce Enforcing
3. Check SELinux Config
You can check selinux configuration from /etc/selinux/config
file. In this configuration file, you can see two parameter. One is SELINUX
which is currently set to disabled
state and another is SELINUXTYPE
which is currently set to targeted
value.
[root@localhost ~]# vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
4. Disable SELinux Temporarily Using Setenforce Command
If you want to disable SELinux temporarily, then either you can do it through by passing mode name or mode value as parameter through setenforce
command. Here we are passing mode name as parameter to setenforce
command as shown below. Then we need to check if selinux is enabled or not using sestatus
command.
setenforce permissive - Set SELinux status to permissive mode
setenforce enforcing - Set SELinux status to enforcing mode
[root@localhost ~]# setenforce permissive [root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
Also you can temporarily disable SELinux by another method where you can pass the mode value as parameter instead of mode name as shown below. After that you can run sestatus
command to check if SELinux is enabled or not.
setenforce 0 - Set SELinux status to permissive mode
setenforce 1 - Set SELinux Status to Enforcing mode
[root@localhost ~]# setenforce 0 [root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
Another method that can be used to disable SELinux temporarily is by using SELinux Kernel Parameters. You can pass value 0 to /sys/fs/selinux/enforce
parameter to remove enforcing
mode as shown in below command.
[root@localhost ~]# echo 0 > /sys/fs/selinux/enforce
Then you can again check if SELinux is Enabled or not using sestatus
command. Now you can see current mode is set to permissive
instead of enforcing
.
[root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
5. Disable SELinux Permanently Using Configuration File
If you want to disable SELinux permanently then you need to do it through SELinux configuration file. You can generally find configuration file in /etc/selinux
path. Here you need to set the value of SELINUX to disabled
to permanently disable SELinux.
[root@localhost ~]# vi /etc/selinux/config SELINUX=disabled
Press Esc
. Save and exit by using wq!
. Then, Restart Your System using init 6
command as shown below.
[root@localhost ~]# init 6
or, you can also reboot your system using reboot
command.
[root@localhost ~]# reboot
Now you can check selinux status again and check if SELinux is Enabled or not.
[root@localhost ~]# sestatus SELinux status: disabled
Also Read: 6 ssh authentication methods to secure Connection