How to Disable SELinux on CentOS 8

SELinux (Security Enhanced Linux) is a Linux kernel module which provides options for Mandatory Access Control (MAC) policies. It comes with various command line utilities to precisely control the activities allowed for a program or a user.

It comes preinstalled, and enabled by default, on many Linux distributions, mostly Red Hat based distributions like Fedora and CentOS.

While SELinux definitely offers an added layer of security, there is an ongoing debate in the community of users whether such an additional layer is even required along with already present security processes, password protections, etc.

If you’re looking to disable SELinux on your computer running CentOS 8, here’s a quick guide to do so.

Disabling SELinux in CentOS 8

First, let’s run the command sestatus to see status of SELinux:

$: sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

As shown in the status, SELinux is currently enabled on the system and is set to ‘enforcing’ mode. You can either set it to ‘permissive’ mode or entirely disable it. In this post we are going to focus on disabling SELinux.

To disable SELinux in CentOS, open file /etc/selinux/config and change SELINUX=enforcing or SELINUX=permissive value to SELINUX=disabled as shown below:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.

Since SELinux is a kernel module, it requires a restart of the computer for the kernel to read the updated configuration file and load the system with SELinux disabled.

sudo shutdown -r

After the computer boots up again, run sestatus to verify if SELinux is disabled :

$: sestatus
SELinux status:                 disabled

🍻 Cheers!