How to Disable or Turn Off SELinux on CentOS 7

April 29, 2019

Introduction

SELinux is a mandatory access control (MAC) enforcer built into the Linux kernel. It limits the privileges of individual services whose vulnerabilities might be a threat to the system.

CentOS systems without SELinux rely on the configuration of all its privileged software applications. A single misconfiguration may compromise the entire system. By following this guide, you will learn how to disable SELinux on CentOS 7.

Why Disable SELinux?

Not all applications support SELinux. Therefore, SELinux can terminate necessary processes during the regular use and installation of software packages. In those cases, we advise you to turn off this service.

how to disable selinux on centos7

Prerequisites

  • Access to a user account with sudo privileges
  • Access to a terminal/command line
  • An RHEL-based system, such as CentOS 7
  • A text editor, such as nano or vim

Steps for Disabling SELinux on CentOS

Step 1: Check SELinux Status

The SELinux service is enabled by default on CentOS and most other RHEL-based systems. However, this might not be the case for your system.

Start by checking the status of SELinux on your system with the command:

sestatus

The example output below indicates that SELinux is enabled. The status shows the service is in the enforcing mode.

output example of the status of SELinux

SELinux may prevent the normal functioning of applications. The service denies access if:

  • A file is mislabeled.
  • An incompatible application attempts to access a forbidden file.
  • A service is running under the incorrect security policy.
  • An intrusion is detected.

If you notice that services are not running correctly, check SELinux log files. The logs are in /var/log/audit/audit.log. Most common log messages are labeled with “AVC.” If you can’t find any logs, try looking in /var/log/messages. The system writes logs in that file if the auditd daemon is not running.

Step 2: Disable SELinux

Option 1: Disable SELinux Temporarily

To disable SELinux temporarily, type in the following command in the terminal:

sudo setenforce 0

In sudo setenforce 0, you can use permissive instead of 0.

This command changes SELinux mode from targeted to permissive.

changing from targeted to permissive mode

In permissive mode, the service is active and audits all actions. However, it does not enforce any security policies. The system logs AVC messages.

The change is only active until the next reboot. To turn off SELinux permanently, refer to the next section of the article.

Option 2: Disable SELinux Permanently

To disable the service permanently, use a text editor (e.g., vim or nano) and edit the /etc/sysconfig/selinux file as instructed below.

1. Open the /etc/sysconfig/selinux file. We will be using vim. If you are unfamiliar with text editors, refer to our instructional guide on how to save and exit a file vim.

Enter the following command to open the file:

sudo vi /etc/sysconfig/selinux

2. Change the SELINUX=enforcing directive to SELINUX=disabled.

Editing the SELINUX directive to disable

3. Save the edited file.

Reboot CentOS to Save Changes

For the change to take effect, you need to reboot the system with the command:

sudo shutdown -r now

After you reboot, check the service status to confirm SELinux is disabled. Use the command:

sestatus
Editing the SELINUX directive to disable

The status should be disabled, as seen in the image above. The system will not load any SELinux policies or write any AVC logs.

Conclusion

By following this article, you should be able to check SELinux status and disable the service on CentOS 7. Be cautious when permanently disabling SELinux. In general, the advised option is to switch to permissive mode.

To read more about SELinux, please refer to the official CentOS Wiki.

Was this article helpful?
YesNo
Dejan Tucakov
Dejan is the Head of Content at phoenixNAP with over 8 years of experience in Web publishing and technical writing. Prior to joining PNAP, he was Chief Editor of several websites striving to advocate for emerging technologies. He is dedicated to simplifying complex notions and providing meaningful insight into data center and cloud technology.
Next you should read
Bare Metal Servers Security
21 Server Security Tips to Secure Your Server
January 11, 2023
Hackers are always on the lookout for server vulnerabilities. Minimize risks and be confident your data is...
Read more
Security Web Servers
How to Set up & Configure ModSecurity on Apache
March 11, 2019
ModSecurity is an Open-source firewall application for Apache. Learn how to Setup & Configure ModSecurity on...
Read more
Security Web Servers
Defend Against DoS & DDoS on Apache With mod_evasive
March 5, 2019
The mod_evasive tool is an Apache web services module that helps your server stay running in the event of an ...
Read more
Security SysAdmin Web Servers
How to View Apache Access & Error Logs
January 7, 2019
Apache is part of the LAMP stack of software for Linux (Linux, Apache, MySQL, PHP). Apache is responsible for ...
Read more