Introduction
SELinux is a mandatory access control (MAC) enforcer built into the Linux kernel. It limits the privileges of individual services whose vulnerabilities might be a threat to the system.
CentOS systems without SELinux rely on the configuration of all its privileged software applications. A single misconfiguration may compromise the entire system. By following this guide, you will learn how to disable SELinux on CentOS 7.
Why Disable SELinux?
Not all applications support SELinux. Therefore, SELinux can terminate necessary processes during the regular use and installation of software packages. In those cases, we advise you to turn off this service.
Prerequisites
- Access to a user account with sudo privileges
- Access to a terminal/command line
- An RHEL-based system, such as CentOS 7
- A text editor, such as nano or vim
Steps for Disabling SELinux on CentOS
Step 1: Check SELinux Status
The SELinux service is enabled by default on CentOS and most other RHEL-based systems. However, this might not be the case for your system.
Start by checking the status of SELinux on your system with the command:
sestatus
The example output below indicates that SELinux is enabled. The status shows the service is in the enforcing mode.
SELinux may prevent the normal functioning of applications. The service denies access if:
- A file is mislabeled.
- An incompatible application attempts to access a forbidden file.
- A service is running under the incorrect security policy.
- An intrusion is detected.
If you notice that services are not running correctly, check SELinux log files. The logs are in /var/log/audit/audit.log. Most common log messages are labeled with “AVC.” If you can’t find any logs, try looking in /var/log/messages. The system writes logs in that file if the auditd daemon is not running.
Step 2: Disable SELinux
Option 1: Disable SELinux Temporarily
To disable SELinux temporarily, type in the following command in the terminal:
sudo setenforce 0
In sudo setenforce 0, you can use permissive instead of 0.
This command changes SELinux mode from targeted to permissive.
In permissive mode, the service is active and audits all actions. However, it does not enforce any security policies. The system logs AVC messages.
The change is only active until the next reboot. To turn off SELinux permanently, refer to the next section of the article.
Option 2: Disable SELinux Permanently
To disable the service permanently, use a text editor (e.g., vim or nano) and edit the /etc/sysconfig/selinux file as instructed below.
1. Open the /etc/sysconfig/selinux file. We will be using vim. If you are unfamiliar with text editors, refer to our instructional guide on how to use vim.
Enter the following command to open the file:
sudo vi /etc/sysconfig/selinux
2. Change the SELINUX=enforcing directive to SELINUX=disabled.
3. Save the edited file.
Reboot CentOS to Save Changes
For the change to take effect, you need to reboot the system with the command:
sudo shutdown -r now
After you reboot, check the service status to confirm SELinux is disabled. Use the command:
sestatus
The status should be disabled, as seen in the image above. The system will not load any SELinux policies or write any AVC logs.
Conclusion
By following this article, you should be able to check SELinux status and disable the service on CentOS 7. Be cautious when permanently disabling SELinux. In general, the advised option is to switch to permissive mode.
To read more about SELinux, please refer to the official CentOS Wiki.
Next you should also read
How To Enable SELinux In CentOS/RHEL 7
August 27, 2019
The article deals with the benefits of SELinux and the various options it provides. These settings can affect…
21 Server Security Tips to Secure Your Server
April 20, 2019
Hackers are always on the lookout for server vulnerabilities. Minimize risks and be confident your data is…
How to Set up & Configure ModSecurity on Apache
March 11, 2019
ModSecurity is an Open-source firewall application for Apache. Learn how to Setup & Configure ModSecurity on…
Defend Against DoS & DDoS on Apache With mod_evasive
March 5, 2019
The mod_evasive tool is an Apache web services module that helps your server stay running in the event of an…
How to View Apache Access & Error Logs
January 7, 2019
Apache is part of the LAMP stack of software for Linux (Linux, Apache, MySQL, PHP). Apache is responsible for…
Author
Dejan Tucakov
Dejan is the Technical Writing Team Lead at phoenixNAP with over 6 years of experience in Web publishing. Prior to joining phoenixNAP, he was Chief Editor of several websites striving to advocate for emerging technologies. He is dedicated to simplifying complex notions and providing meaningful insight into data center and cloud technology.