How to Disable SELinux on CentOS and Rocky Linux

Introduction

SELinux is a mandatory access control (MAC) enforcer built into the Linux kernel. It limits the privileges of individual services whose vulnerabilities might threaten the system.

Applications that do not comply with SELinux policies may encounter issues during installation or regular operations. As a last resort to troubleshoot or accommodate specific software requirements, you can consider temporarily disabling SELinux.

Find out how to disable SELinux on CentOS and Rocky Linux.

Prerequisites

Steps for Disabling SELinux on CentOS and Rocky Linux

Linux systems without SELinux rely on the configuration of all its privileged software applications for security. A single misconfiguration may compromise the entire system. Proceed with caution.

Step 1: Check SELinux Status

The SELinux service is enabled by default on most RHEL-based systems. To check the status of SELinux, enter the following command:

sestatus

The example output indicates that SELinux is enabled. The status shows the service is in the enforcing mode.

SELinux may prevent the normal functioning of applications. The service denies access if:

• A file is mislabeled.
• An incompatible application attempts to access restricted files.
• A service is running under the incorrect security policy.
• The system detects an intrusion.

If services are not running correctly, check the SELinux log files. SELinux generates Access Vector Cache (AVC) messages if it needs to deny or audit an operation. AVC messages are logged in the /var/log/audit/audit.log file and labeled as type=AVC.

Step 2: Disable SELinux

You can disable SELinux temporarily, which is recommended for troubleshooting, or permanently, which is discouraged unless absolutely necessary.

Option 1: Disable SELinux Temporarily

Use the following command to disable SELinux temporarily:

sudo setenforce 0

Alternatively, you can use the permissive keyword instead of 0:

sudo setenforce permissive

The command does not provide an immediate output. Check the SELinux status to confirm the current mode:

sestatus

SELinux is now in permissive mode, meaning that the service is active, audits all actions, and logs AVC messages. However, it does not enforce security policies.

The change is active until the next reboot when SELinux returns to its default mode.

Option 2: Disable SELinux Permanently

To disable SELinux permanently:

1. Open the /etc/sysconfig/selinux file using a text editor, for example, Nano:

sudo nano /etc/sysconfig/selinux

2. Locate the SELINUX=enforcing directive in the file and change it to SELINUX=disabled.

3. If using Nano, press Ctrl+X, Y, and then Enter to save the changes and exit the file.

4. For the change to take effect, reboot the system:

sudo shutdown -r now

5. After the reboot, check the service status to confirm SELinux is disabled:

sestatus

The output confirms the SELinux service is disabled. From now on, the system will not load any SELinux policies or log AVC messages.

Conclusion

This guide showed how to check the SELinux status and disable the service on CentOS and Rocky Linux.

Security tools like SELinux or AppArmor are essential for enforcing strict security policies and conducting audits. They are a key component of best practices for managed server hosting.