How to disable SELinux in CentOS / RHEL 7/8 and Alma Linux / Rocky Linux

  Linux system administration, Security
Disable SELinux in CentOS / RHEL - 7/8 and Alma Linux / Rocky Linux tutorial

Ensuring server security is a critical component of server management, but smaller or personal projects may compromise some aspects of security. In the realm of Linux distributions, many already have robust security protocols in place. Among them, CentOS 7 and RHEL are widely recognized as the most dependable security options across Linux, thanks to their SELinux multi-level security protection.

Despite its benefits, excessive security measures can occasionally impede every day and community activities. Therefore, disabling certain measures may become necessary. This post aims to instruct you on how to disable SELinux in CentOS 7.

What is SELinux?

SELinux is a security control feature installed on your system, which restricts access to specific Kernel modules. By default, CentOS 7 and RHEL incorporate this feature to offer an extra layer of security to the system. However, other Linux distributions, like Debian, can also implement it.

SELinux operates via specific policies, known as “rules,” that permit or restrict the use of certain applications for critical system components. The creation of such policies can be a challenging task.

SELinux has three distinct states:

  • The Enforcing state denies any unauthorized access, and enabling this state is referred to as having SELinux enabled.
  • In the Permissive state, SELinux generates warnings. Unlike the enforcing state, unauthorized access is allowed, but a warning is displayed.
  • The Disable state means that the SELinux feature is turned off, and access is permitted without warnings.

Having learned how SELinux functions, we can now determine whether it is worth disabling.

Disabling SELinux

There are two ways to disable SELinux: temporarily or permanently. Each method has its own advantages. Temporarily disabling it enables us to test the system without compromising its security. Upon system restart, SELinux will automatically reactivate.

Conversely, permanently deactivating SELinux can increase productivity, particularly for personal or medium-sized projects. It is essential to note that most Linux distributions have robust security policies in place at this stage, so this approach may be feasible.

This post will instruct you on how to perform both temporary and permanent SELinux deactivation on CentOS 7.

Disable SELinux Temporarily on CentOS 7

To begin, we must establish an SSH connection to access the server. Execute the following command to achieve this:

$ ssh your-user@your-server

Alternatively, if we are using CentOS on our personal computer, we can open the terminal.

Next, we must verify the status of SELinux, which can be accomplished by executing the following command:

$ sestatus

The output will notify us that SELinux is enabled with the enforcing state.

To temporarily disable SELinux, we can execute the following commands:

$ su
$ setenforce 0

We must then verify the SELinux status again.

The output will indicate that SELinux is now in permissive mode, allowing us to use the system with ease.

As this method temporarily disables SELinux, changes will be automatically applied during restart when SELinux is reactivated. The main benefit of this method is that it does not require a system reboot.

Disable SELinux Permanently on CentOS 7

In order to permanently disable SELinux, we will need to edit a configuration file. To begin, we will need to install the nano text editor by executing the following command:

$ yum install nano

Next, we must modify the SELinux configuration file.

$ nano /etc/sysconfig/selinux

To disable SELinux permanently, we need to modify the SELinux configuration file. The file contains various values that can be assigned to SELinux, representing the different states it can take. In order to completely disable it, we will set the value to “Disabled” as follows:

$ SELINUX=disabled

Once this is done, we need to save the file by pressing CTRL+O and then close it with CTRL+X. To ensure the changes have taken effect, we need to reboot the system and then check the status of SELinux by running the following command:

$ sestatus

By doing this, we will have successfully disabled SELinux in CentOS.

Re-enabling SELinux on CentOS

By enabling SELinux, you can enhance the security of your system, particularly in scenarios where the system is exposed to potentially hostile environments or where sensitive data is stored or processed. It can also be useful in situations where untrusted third-party applications are running on the system.

$ sudo setenforce 1

This command changes the SELinux mode to “enforcing” immediately, but the change will not persist across reboots.

To make the change persistent, edit the SELinux configuration file /etc/selinux/config using a text editor such as nano or vim.

$ sudo nano /etc/selinux/config

Locate the line that starts with SELINUX= and change its value to enforcing.

SELINUX=enforcing

Save the changes to the file and exit the text editor.

After reboot your system for the changes to take effect.

Conclusion

While SELinux provides excellent security to CentOS, some may find it bothersome or inconvenient. Before deciding to disable any security feature, one should always consider the potential risks.

In this post, we have demonstrated how to disable SELinux temporarily or permanently, depending on your needs. We hope this tutorial has been useful to you!

LEAVE A COMMENT