Disable SELinux on CentOS 7 / RHEL 7 / Fedora Linux

last updated in Categories , , ,

I need to disable SELinux on CentOS 7. How can I disable SELinux from the command line over ssh based session?

SELinux is an acronym for Security-Enhanced Linux. It is a Linux kernel security feature for access control. For example, with the help of SELinux sysadmin can determine which Linux server users and apps can access resources.
SELinux is an implementation of a mandatory access control mechanism in the Linux kernel and was developed by NSA. This page shows how to disable SELinux security feature on a CentOS / RHEL and Fedora Linux.

ADVERTISEMENTS


How to disable SELinux on a CentOS 7 / RHEL 7 / Fedora Linux

The procedure to remove and disable SELinux security features is as follows:

  1. Log in to your server
  2. Check the current SELinux status, run: sestatus
  3. To disable SELinux on CentOS 7 temporarily, run: sudo setenforce 0
  4. Edit the /etc/selinux/config file and set the SELINUX to disabled
  5. Reboot the Linux server
  6. Verify it by running the sestatus and getenforce again

Let us see all commands, examples and usage in details.

How to find out SELinux status on CentOS 7

Run the following sestatus command
sestatus
Check the SELinux Status
Another option is to run the following command to print the current mode of SELinux
getenforce
Enforcing

Another option is to runt the following cat command:
cat /etc/selinux/config
Sample outputs:

SELINUX=enforcing
SELINUXTYPE=targeted

Different types of security policy

The /etc/selinux/config file controls the state of SELinux on the system. SELINUX= can take one of these three values:

  • enforcing – SELinux security policy is enforced.
  • permissive – SELinux prints warnings instead of enforcing (disabled).
  • disabled – No SELinux policy is loaded (disabled).

SELINUXTYPE= can take one of following:

  • targeted – Targeted processes are protected.
  • minimum – Modification of targeted policy. Only selected processes are protected.
  • mls – Multi Level Security protection.

Warning: The author does not recommend disabling SELinux and is not responsible for security problems on your Linux-based server.

Disable SELinux

You can modify the mode SELinux is running in using the setenforce command. For example, to put SELinux in enforcing mode, run:
sudo setenforce Enforcing
sestatus

To put SELinux in permissive mode i.e. disabled mode:
sudo setenforce Permissive
sestatus
getenforce

How to Disable SELinux on CentOS 7
Please note that is temporary solution to disable SELinux without rebooting the server and active for the current session only. Hence, use the following method for disabling SELinux forever.

Disabling SELinux permanently

Edit the /etc/selinux/config file, run:
sudo vi /etc/selinux/config
Set SELINUX to disabled:
SELINUX=disabled
Save and close the file in vi/vim. Reboot the Linux system:
sudo reboot
After reboot, make sure following commands gives Disabled output indicating that SELinux removed and disabled on your Linux server:
getenforce
sestatus

Disable SELinux and verify it on CentOS 7 or RHEL 7

Conclusion

This page explained how to disable SELinux running on your CentOS 7, RHEL 7 and Fedora Linux. For more information, see this page here.

ADVERTISEMENTS

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Notable Replies

  1. Why would you want to disable SELinux? True, there is the use case where some kind of installation or other task requires it to be allowed without SELinux. But the warning in this article is not sufficient notice that disabling security features is not a valid administrative tactic. I am waiting for the next article here that explains how to solve common problems SELinux causes. One tip: every selinux user should be familiar with the getsebool -a command.

  2. @ChuckG
    Welcome @ChuckG to nixCraft forum!

    There is no reason to disable SELinux local or remote system as it provides an additional layer of system security. Some advantages:

    • All processes and files are labeled. SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.

    • Fine-grained access control. Stepping beyond traditional UNIX permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a security level.

    • SELinux policy is administratively-defined and enforced system-wide.

    • Improved mitigation for privilege escalation attacks. Processes run in domains, and are therefore separated from each other. SELinux policy rules define how processes access files and other processes. If a process is compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to. For example, if the Apache HTTP Server is compromised, an attacker cannot use that process to read files in user home directories, unless a specific SELinux policy rule was added or configured to allow such access.

    • SELinux can be used to enforce data confidentiality and integrity, as well as protecting processes from untrusted inputs.

    However, SELinux is not:

    • antivirus software,

    • replacement for passwords, firewalls, and other security systems,

    • all-in-one security solution.

    SELinux is designed to enhance existing security solutions, not replace them. Even when running SELinux, it is important to continue to follow good security practices, such as keeping software up-to-date, using hard-to-guess passwords, or firewalls. In short, when in doubt keep it enabled.

Continue the discussion www.nixcraft.com

2 more replies

Participants

Historical Comment Archive