SELinux (Security Enhanced Linux) is a Linux kernel module which provides options for Mandatory Access Control (MAC) policies. It comes with various command line utilities to precisely control the activities allowed for a program or a user.
It comes preinstalled, and enabled by default, on many Linux distributions, mostly Red Hat based distributions like Fedora and CentOS.
While SELinux definitely offers an added layer of security, there is an ongoing debate in the community of users whether such an additional layer is even required along with already present security processes, password protections, etc.
If you’re looking to disable SELinux on your computer running CentOS 8, here’s a quick guide to do so.
Disabling SELinux in CentOS 8
First, let’s run the command
sestatus to see status of SELinux:
$: sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
As shown in the status, SELinux is currently enabled on the system and is set to ‘enforcing’ mode. You can either set it to ‘permissive’ mode or entirely disable it. In this post we are going to focus on disabling SELinux.
To disable SELinux in CentOS, open file
/etc/selinux/config and change
SELINUX=permissive value to
SELINUX=disabled as shown below:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Since SELinux is a kernel module, it requires a restart of the computer for the kernel to read the updated configuration file and load the system with SELinux disabled.
sudo shutdown -r
After the computer boots up again, run
sestatus to verify if SELinux is disabled :
$: sestatus SELinux status: disabled