SELinux, also known as Security-Enhanced Linux, is a security feature embedded in the Linux kernel. SELinux leverages Mandatory Access controls (MAC) to confine users to certain rules and policies and prevents them from performing unauthorized tasks on the Linux system as specified by the IT administrator. SELinux comes in 3 different modes:
Enforcing – This is SELinux’s default installation at Installation. It enforces default policies on the system, logs actions, and denies access to some services.
Permissive – In this mode, policies will not be enforced, but violations will be logged and a warning triggered.
Disabled – As the name suggests, this implies that SELinux is turned off and security polices will no longer protect the server.
In this topic, you will learn how to disable SELinux temporarily and later permanently on CentOS 8 Linux.
How to temporarily disable SELinux on RHEL 8 / CentOS 8
Before you start disabling SELinux on CentOS 8, it’s prudent that you first check the status of SELinux.
To do so, run the command:
# sestatus
Example output:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
The output above shows that SELinux is enabled and set to enforcing mode.
To temporarily disable SELinux run the command.
# setenforce 0
Also, you can run the command.
# setenforce Permissive
However, this change is valid for the current runtime session only and do not persist between reboots.
How to permanently disable SELinux on RHEL 8 / CentOS 8
Instead of disabling SELinux, it is strongly recommended to change the mode to permissive. Disable SELinux only when required for the proper functioning of your application.
Perform the steps below to disable SELinux on your CentOS 8 system permanently:
Open the /etc/selinux/config file:
# vi /etc/selinux/config
and set the SELinux attribute to disabled as shown below:
SELINUX=disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Save the file and reboot the system:
# sudo shutdown -r now
When the system is booted, use the sestatus command to verify that SELinux has been disabled:
# sestatus
The output should look like this:
SELinux status: disabled
Conclusion
SELinux is a very crucial feature on CentOS 8 and helps in restricting unauthorized users from accessing certain services on the system.
In this guide, we demonstrated how you can disable SELinux on CentOS 8. Ideally, it’s always recommended to keep SELinux enabled with the exception of instances where you are configuring services that require SELinux to be disabled.
To learn more about the powerful features of SELinux, visit the CentOS SELinux guide.
If you have any questions or feedback, please leave a comment below.
See also: How to Disable SELinux on CentOS 7