SELinux which is known as Security-Enhanced Linux, is a security feature embedded in the Linux kernel. It prevents from performing unauthorized tasks on the Linux system and add an additional security layer. This guide will help you to disable SELinux on CentOS 8.
SELinux policy rules defines that how the users interact with each other, processes and user interactaction with files. When there is no rule explicitly allowing access to an object, such as for a process opening a file, access is denied.
SELinux has three different operation modes:
- Enforcing – It enforces default policies on the system and allows access based on SELinux policy rules.
- Permissive – In this mode, policies will not be enforce. Only logs actions which violates when running in enforcing mode.
- Disabled – This implies that SELinux is turn off. It will not load any policy not log messages.
By default, SELinux is enabled and in enforcing mode in CentOS 8. Usually, it’s recommend to keep it enable for security purpose. However, in some cases, you may be require to disable it or turn it off.
Prerequisites
You must login as a root user or a user with sudo privileges to change the SELinux mode.
Check SELinux status
First of all, check the status and the mode in which SELinux is running. Use sestatus and run below command:
sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
The above output shows that SELinux is enabled by default and in enforcing mode.
Disable SELinux (Temporarily)
You can temporarily disable SELinux or change mode from targeted to permissive using below command:
sudo setenforce 0
Keep in mind that this changes will remain only for current session only. On reboot it will be reverted as it was.
You can permanently set the SELinux mode to permissive by performing below steps:
Open the /etc/selinux/config file and set the SELINUX mod to permissive:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targetedSave file and run the setenforce 0 command to change the SELinux mode for the current session:
Disable SELinux (Permanently)
Follow the steps given below to disable SELinux on your CentOS 8 system permanently:
Open the /etc/selinux/config file and change the SELINUX value to disabled:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targetedSave the file and reboot the system:
sudo shutdown -r now
After that, verify the SELinux status by running below command:
sestatus
It should show output as below:
SELinux status: disabled
Conclusion
SELinux an additional layer of security by implementing policies that restrict users on what they can do on a system. However, it is not recommended to disable SELinux on CentOS 8 but you can change the mode to permissive.
If you have any question or suggestion, feel free to comment below.
Leave a Reply