selinux
selinux

How to disable SElinux on CentOS 7 and RHEL7

SELinux (Security-Enhanced Linux) is a Linux kernel security feature for access control designed by the NSA, the US national security agency, that allows administrators to better control access to the system.

In this guide we will see how to desable SElinux at CentOS 7 and RHEL 7. Here are the steps to deactivate SElinux :

1- Check the current status of SElinux.
2- Deactivate SElinux temporarily
3- Desable SElinux permanently.
4- Reboot
5- Check the status of SElinux

Let’s see in detail all these steps.

Check the current status of SElinux :

Use « getenforce » command to see the status of SElinux :

[root@server ~]# getenforce
Enforcing

You can have three states of SElinux :

Enforcing : activated

Permissive : displays warnings instead of applying them.

Disabled : SElinux is disabled

Another way to see the status of SElinux is the /etc/selinux/config file :

[root@server ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Temporarily disable SELinux:

Use « setenforce » command to disable SELinux :

[root@bdd ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@bdd ~]# setenforce 0
[root@bdd ~]# getenforce
Permissive

This change is temporary, which means that if you restart your machine, the change is lost.

Permanently disabled SElinux :

Edit the /etc/selinux/config file and change the value of « SELINUX » to « disabled » :

[root@server ~]# vim /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled 
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Save the file and restart the machine.

Check the status of SElinux:

After rebooting the machine checking the status of SElinux, it should be in the Disabled state:

[root@server ~]# getenforce
Disabled

[root@server ~]# vim /etc/selinux/config 
# This file controls the state of SELinux on the system. 
# SELINUX= can take one of these three values: 
# enforcing - SELinux security policy is enforced. 
# permissive - SELinux prints warnings instead of enforcing. 
# disabled - No SELinux policy is loaded. 
SELINUX=disabled  
# SELINUXTYPE= can take one of three values: 
# targeted - Targeted processes are protected, 
# minimum - Modification of targeted policy. Only selected processes are protected. 
# mls - Multi Level Security protection. SELINUXTYPE=targeted

Here, you now know the two methods to deactivate SElinux, it should be noted that it is not recommended to deactivate it, and to do it just in the case of diagnostics to check if SElinux is the cause of a blockage.