This tutorial shows you how you can disable SELinux (Security-Enhanced Linux) on your CentOS server. The CentOS version should be 7 or 8. Version does not matter.
What is SELinux?
SELinux is a security mechanism directly controlling by the kernel. It allows administrators and users more control over access controls on access based SELinux policies.
SELinux has three different modes of operation. Here they are:
- Enforcing: Allows access based on SELinux policies and the policy rules.
- Permissive: SELinux only logs actions that would have been denied if running in enforcing mode. This mode is really useful when debugging or creating a new policy or policy rules.
- Disabled: No messages logged and there is no more SELinux policy enabled on the server. Most of the time disabled mode is using web control panels like cPanel and/or Plesk.
Only the root user or a user with sudo privileges can update SELinux mode.
Check the SELinux Mode
When you install freshly the CentOS minimal, DVD or Everything SELinux is coming with enforcing mode. You can make sure about your SELinux status with the “sestatus” command. The print shows that SELinux is enabled and mode set to enforcing.
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
I strongly recommended changing the mode from enforcing to permissive but sometimes some of the applications don’t like SELinux and they required to mode disabled.
To permanently change SELinux mode from enforcing to disabled, first of all, you should use your text editor like vi or nano.
Open the /etc/selinux/config file and change the SELINUX value to disabled on the 6th line like below:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Now you can save the file and exit from the text editor. Time to reboot the server:
Final Control of SELinux Status
Now, we should make sure about SELinux successfully disabled on the server. Run once “sestatus” command again and output should like this:
SELinux status: disabled
Now you can change the SELinux modes which one is suitable for you or you need. SELinux is a security mechanism by implementing mandatory access control (MAC). SELinux comes enforcing mode by default on CentOS7 or CentOS8 system, but it can be modifying by editing the configuration file and rebooting the server.
You can access more information about SELinux on their CentOS SELinux pages.