Disable SELinux on CentOS 7 or CentOS 8

Posted on by

This tutorial shows you how you can disable SELinux (Security-Enhanced Linux) on your CentOS server. The CentOS version should be 7 or 8. Version does not matter.

What is SELinux?

SELinux is a security mechanism directly controlling by the kernel. It allows administrators and users more control over access controls on access based SELinux policies.

SELinux has three different modes of operation. Here they are:

  1. Enforcing: Allows access based on SELinux policies and the policy rules.
  2. Permissive: SELinux only logs actions that would have been denied if running in enforcing mode. This mode is really useful when debugging or creating a new policy or policy rules.
  3. Disabled: No messages logged and there is no more SELinux policy enabled on the server. Most of the time disabled mode is using web control panels like cPanel and/or Plesk.

Prerequisites

Only the root user or a user with sudo privileges can update SELinux mode.

Check the SELinux Mode

When you install freshly the CentOS minimal, DVD or Everything SELinux is coming with enforcing mode. You can make sure about your SELinux status with the “sestatus” command. The print shows that SELinux is enabled and mode set to enforcing.

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

Disabling SELinux

I strongly recommended changing the mode from enforcing to permissive but sometimes some of the applications don’t like SELinux and they required to mode disabled.

To permanently change SELinux mode from enforcing to disabled, first of all, you should use your text editor like vi or nano.

Open the /etc/selinux/config file and change the SELINUX value to disabled on the 6th line like below:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#  enforcing - SELinux security policy is enforced.
#  permissive - SELinux prints warnings instead of enforcing.
#  disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
#  minimum - Modification of targeted policy. Only selected processes are protected. 
#  mls - Multi Level Security protection.
SELINUXTYPE=targeted

Now you can save the file and exit from the text editor. Time to reboot the server:

sudo reboot

Final Control of SELinux Status

Now, we should make sure about SELinux successfully disabled on the server. Run once “sestatus” command again and output should like this:

SELinux status:                 disabled

Conclusion

Now you can change the SELinux modes which one is suitable for you or you need. SELinux is a security mechanism by implementing mandatory access control (MAC). SELinux comes enforcing mode by default on CentOS7 or CentOS8 system, but it can be modifying by editing the configuration file and rebooting the server.

You can access more information about SELinux on their CentOS SELinux pages.