This tutorial shows you how you can disable SELinux (Security-Enhanced Linux) on your CentOS server. The CentOS version should be 7 or 8. The version does not matter.
What is SELinux?
SELinux is a security mechanism directly controlling by the kernel. It allows administrators and users more control over access controls on access based SELinux policies.
SELinux has three different modes of operation. Here they are:
- Enforcing: Allows access based on SELinux policies and the policy rules.
- Permissive: SELinux only logs actions that would have been denied if running in enforcing mode.
- Disabled: No messages logged and there is no more SELinux policy enabled on the server. Most of the time disabled mode is using web control panels like cPanel and/or Plesk.
Prerequisites
Only the root user or a user with sudo privileges can update SELinux mode.
Check the SELinux Mode
You can make sure about your SELinux status with the “sestatus” command. The print shows that SELinux is enabled and mode set to enforcing.
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
Disabling SELinux
I strongly recommended changing the mode to permissive. Sometimes some of the applications don’t like SELinux and they required to mode disabled.
To permanently change SELinux mode from enforcing to disabled, first of all, you should use your text editor like vi or nano.
Open the /etc/selinux/config file and change the SELINUX value to disabled on the 6th line like below:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Now you can save the file and exit from the text editor. Time to reboot the server:
sudo reboot
Final Control of SELinux Status
Now, we should make sure about SELinux successfully disabled on the server. Run “sestatus” command again, the output should like this:
SELinux status: disabled
Conclusion
Now you can change the SELinux modes which one is suitable for you or you need. SELinux is a security mechanism by implementing mandatory access control (MAC). SELinux comes enforcing mode by default on CentOS7 and CentOS8 system. It can be modifying by editing the configuration file and rebooting the server.
You can access more information about SELinux on their CentOS SELinux pages.