How to Disable or Enable SELinux on CentOS / Fedora / RHEL

Oct 16, 2015 Linux, Security

SELinux (Security Enhanced Linux) is an additional method of Linux system protection. It’s a group of security contexts that determine which process can access which files, directories, ports, etc…

SELinux has three modes:
Enforcing: SELinux protects files, directories, ports against unauthorized access and logs all SELinux events and attempts.
Permissive: SELinux allows all interactions and context violations and logs them. Permissive mode is often used for troubleshooting SELinux.
Disabled: SELinux is completely disabled.

SELinux in Enforcing mode may cause problems accessing files or ports in the system, that’s why it’s good to know how to change it’s mode or even disable it.

In this article we will show you how to manage SELinux to enable / disable it or change it’s mode.

Checking SELinux status

Login as any user, use one of the following commands:

[tuxfixer@tuxfixer ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29
[tuxfixer@tuxfixer ~]$ getenforce
Enforcing

Disabling SELinux permanently

To disable SELinux permanently (persistent after reboot), login as root, edit /etc/sysconfig/selinux file:

[root@tuxfixer ~]# vim /etc/sysconfig/selinux

Change SELINUX value to disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reboot the system for the changes to take effect:

[root@tuxfixer ~]# reboot

Note: SELinux Disabled mode is the only mode, which can’t be switched temporarily on running system. You have to reboot the system to set Disabled mode or to get back from Disabled to Enforcing or Permissive mode.

Setting SELinux Permissive mode temporarily

If you have trouble with Enforcing mode, you don’t have to immediately disable SELinux, you can temporarily switch to Permissive mode for troubleshooting.

To switch to SELinux Permissive mode temporarily (till the next reboot or next change), login as root, execute command:

[root@tuxfixer ~]# setenforce Permissive

verify current mode:

[root@tuxfixer ~]# getenforce
Permissive

Setting SELinux Permissive mode permanently

To switch to SELinux Permissive mode permanently (persistent after reboot), login as root, edit /etc/sysconfig/selinux file:

[root@tuxfixer ~]# vim /etc/sysconfig/selinux

Change SELINUX value to permissive:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reboot the system for the changes to take effect:

[root@tuxfixer ~]# reboot

Setting SELinux Enforcing mode temporarily

To switch to SELinux Enforcing mode temporarily (till the next reboot or next change), login as root, execute command:

[root@tuxfixer ~]# setenforce Enforcing

verify current mode:

[root@tuxfixer ~]# getenforce
Enforcing

Setting SELinux Enforcing mode permanently

To switch to SELinux Enforcing mode permanently (persistent after reboot), login as root, edit /etc/sysconfig/selinux file:

[root@tuxfixer ~]# vim /etc/sysconfig/selinux

Change SELINUX value to enforcing:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reboot the system for the changes to take effect:

[root@tuxfixer ~]# reboot

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.