What is SELinux? Why You May Want to Disable it?

If you already know about SELinux and you are completely aware of the risks you would encounter on disabling it, here’s how to do it.

  • Open the config file /etc/selinux/config or its symbolic link /etc/sysconfig/selinux.
  • Change the line from SELINUX=enforcing to SELINUX=disabled
  • Restart the system or use setenforce 0 to invoke change immediately.

Read this article for more detailed information on what is SELinux, how to disable SELinux and why it’s not always a good idea to disable SELinux.

What is SELinux?

SELinux stands for Security Enhanced Linux. It is a labeling mechanism to provide high security to files and other objects in the system from unauthorized processes and also authorized processes that do not have or need such access to avoid misuse.

One can install SELinux in any existing Linux system. This usage will not be useful for all individual users but essential for server systems.

Its security rigidness can be understood by the fact that with SELinux, root owned process even if hacked can’t access the files that are not given access.

How SELinux Works?

SELinux enforces the access policy that will be followed by the kernel whenever a process needs to access file or object. Under the policy, each file or process is assigned a label. So when a process with a label a:a:a needs to access the file (with label b:b:b) both should match (except for MLS configuration in which hierarchy will be followed as per the policy).

Read more about labeling in here and here.

Note that disabling SELinux in a server brings back a lot of threats to the system. Be sure that you are doing this neither because of convenience nor speculated content in articles but a valid reason.

Drawbacks of Disabling SE Linux

On disabling SELinux, each process will have access to files as in a normal Linux System. Misuse of rights cannot be prevented. A hacked process can gain access to secret files which are not needed for its original purpose and might be misused. This is a serious issue.

If a process with root permission is compromised, then the entire system is at risk. What SELinux provides is more rigid security. Learn more about risks here.

Why would you want to disable SELinux if it’s a security feature?

Because often extreme security features become a pain. Same is true for SELinux.

Because it is way too strict on what files are accessible by what process, you’ll have a hard time making various services work properly on your server.

For example, if files in /var/lib are owned by root and with file permissions 000, the program that requires these files won’t run.

Also, when you are debugging an application, SELinux becomes a pain. Disabling it saves you headache.

Tip: Use permissive mode with SELinux

A relatively better practice is to put SELinux into permissive mode before you deploy your application or debugging your issue and enable it again after that.

The permissive mode works as if SELinux was disabled but at the same times, it will log as if SELinux was enabled.

This way you can know from the /var/log/messages logs what would happen with your application if the SELinux was enabled. Check for denial messages.

Note that your system is not protected with SELinux policies in permissive mode.

Disable SELinux in CentOS and other Linux distributions

You can disable SELinux using the following steps. Though these commands are tested in CentOS, it should work perfectly in Fedora and Red Hat Linux.

I think the same steps should be applicable to other Linux distributions as well. If not, please let us know in the comment section.

First, check the SELinux Status using sestatus command.

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

If SELinux is enabled and is in enforcing mode, you can disable it using these steps.

Step 1: Open the config file /etc/selinux/config or its symbolic link /etc/sysconfig/selinux

Step 2: Change the line from SELINUX=enforcing to SELINUX=disabled.

Step 3: Restart the system or use setenforce 0 to change SELinux mode for the current session and the change will be active on restart.

Note: To put SELinux in permissive mode, change the config file to have SELINUX=permissive

How to enable SELinux again?

As mentioned earlier, you may want to enable SELinux again after debugging your issue or deploying your application. In fact, temporarily disabling SELinux is perhaps the best idea.

You can re-enable SELinux by reverting the changes you did earlier.

Step 1: Open the /etc/selinux/config or the /etc/sysconfig/selinux file again.

Step 2: This time change the line to SELINUX=enforcing

Step 3: In the end, reboot the system or use the command setenforce 1 to enforce SELinux immediately.

I hope I clarified a few things about SELinux like permissive mode vs enforcing, disabling SELinux etc.

If you have questions or suggestions to improve this article, please let us know in the comment section below. Also share your thought on disabling SELinux.