Cyberithub

Best Way to Disable SELinux Temporarily on RedHat/CentOS 7

Advertisements

In this article, I will take you through Best Ways to disable SELinux temporarily on Linux. SELinux is known as Security Enhanced Linux which is integrated with Linux Kernel for implementation for Access Control Mechanism. There are times when you think you need to disable SELinux to accomplish your tasks as it might be blocking some process and not allowing it run.

You have 2 different ways through which you can disable SELinux in your system. Either you can disable temporarily for the current session or you can permanently disable SELinux by changing into the configuration files.

Modes of SELinux

a)Enforcing: In this mode, SELinux will enforce its policies.

b)Permissive: In this mode, SELinux will show warnings but it won't enforce policies.

c)Disabled: In this mode, SELinux will stand in disable mode.

Security Policy of SELinux

a)Targeted: Only targeted processes will be protected under this policy.

b)Minimum: It will only provide protection to selected processes.

c)MLS: It provides multi layer security protection.

Best Way to Disable SELinux Temporarily on RedHat/CentOS 7 1

Disable SELinux on RedHat/CentOS 7

Also Read: 7 Easy Steps to change ssh port number on RedHat/CentOS 7

1. Check if SELinux is Enabled or not using sestatus command

You can check selinux status using sestatus command as shown below. In the below output you can see that SELinux status is showing enabled and SELinux filesystem is mounted on /sys/fs/selinux.

Configuration path can be found under /etc/selinux which is also know as SELinux root directory. Current policy is set to targeted which is the default policy in CentOS or RedHat Based Systems. You can also see the current mode is set to enforcing which allows SELinux to enforce its policies.

[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

2. Check Current SELinux Policy

You can check current SELinux Policy by using getenforce command as shown below. As you can see from below output, current policy is set to enforcing which means SELinux Policy is getting enforced to System Resources.

[root@localhost ~]# getenforce
Enforcing

3. Check SELinux Config

You can check selinux configuration from /etc/selinux/config file. In this configuration file, you can see two parameter. One is SELINUX which is currently set to disabled state and another is SELINUXTYPE which is currently set to targeted value.

[root@localhost ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

4. Disable SELinux Temporarily Using Setenforce Command

If you want to disable SELinux temporarily, then either you can do it through by passing mode name or mode value as parameter through setenforce command. Here we are passing mode name as parameter to setenforce command as shown below. Then we need to check if selinux is enabled or not using sestatus command.

setenforce permissive - Set SELinux status to permissive mode

setenforce enforcing - Set SELinux status to enforcing mode

[root@localhost ~]# setenforce permissive
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

Also you can temporarily disable SELinux by another method where you can pass the mode value as parameter instead of mode name as shown below. After that you can run sestatus command to check if SELinux is enabled or not.

setenforce 0 - Set SELinux status to permissive mode

setenforce 1 - Set SELinux Status to Enforcing mode

[root@localhost ~]# setenforce 0
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

Another method that can be used to disable SELinux temporarily is by using SELinux Kernel Parameters. You can pass value 0 to /sys/fs/selinux/enforce parameter to remove enforcing mode as shown in below command.

[root@localhost ~]# echo 0 > /sys/fs/selinux/enforce

Then you can again check if SELinux is Enabled or not using sestatus command. Now you can see current mode is set to permissive instead of enforcing.

[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

 

5. Disable SELinux Permanently Using Configuration File

If you want to disable SELinux permanently then you need to do it through SELinux configuration file. You can generally find configuration file in /etc/selinux path. Here you need to set the value of SELINUX to disabled to permanently disable SELinux.

[root@localhost ~]# vi /etc/selinux/config

SELINUX=disabled

Press Esc. Save and exit by using wq! . Then, Restart Your System using init 6 command as shown below.

[root@localhost ~]# init 6

or, you can also reboot your system using reboot command.

[root@localhost ~]# reboot

Now you can check selinux status again and check if SELinux is Enabled or not.

[root@localhost ~]# sestatus
SELinux status: disabled

 

 

Also Read: 6 ssh authentication methods to secure Connection

Reference: How to Enable/Disable SELinux mode in CentOS 7

Leave a Comment