In this tutorial we will go over the different levels of security in SELinux, as well as show you how to disable SELinux on a CentOS 7 VPS.
SELinux or Security-Enhanced Linux is a Linux kernel security module which provides a variety of security policies and gives server administrators better control over access to various parts of their system. Basically, with SELinux enabled, every program or action running on a Linux VPS which can affect the system in any way would be checked against a security ruleset. Although it provides a higher level of security, many system administrators find it difficult to manage and troubleshoot. For this reason, it’s common for admins to want to disable it. Let’s get started with disabling SELinux.
SELinux offers three levels of security:
- Enforcing: In enforcing mode SELinux allows access based on the policy rules defined.
- Permissive: In permissive mode SELinux will log all actions that would have been blocked in case it was running in enforcing mode.
- Disabled: In permissive mode no SELinux policy rules are loaded.
Table of Contents
How to check the SELinux status
Now, connect to your Linux server via SSH and log in as root or as a user with sudo privileges. Once you log in to your server it is recommended to check the current mode of SELinux. You can do this by running the following command in the terminal:
sestatus
The output of the command if SELinux is enabled should be similar to the one below:
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
If the SELinux status shows that it is enabled then you can follow the steps below to disable it.
How to Disable SELinux in CentOS 7
Disabling SELinux on CentOS 7 is fairly easy task. You can do that with one command:
echo 0 > /selinux/enforce
As an alternative you can use the following command:
setenforce 0
Now, check the status again and make sure it is disabled.
Please note, this will disable SELinux only temporarily. If you want to disable it permanently, you will need to perform the following steps:
Open the /etc/sysconfig/selinux file for editing with a text editor of your choice. We will be using nano in the example below.
nano /etc/sysconfig/selinux
Once you open the file change the following line:
SELINUX=enforcing
to
SELINUX=disabled
Then save and close the file. Once you make this change, verify that the content of the file looks like the one below:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Check the status again using the following command:
sestatus
and make sure the output looks like the one below:
# sestatus SELinux status: disabled
If the output still shows that SELinux is enabled you may need to restart the system for the changes to take effect. To restart the server, run the following command in your terminal:
shutdown -r now
How to Enable Permissive Mode in SELinux on CentOS 7
Instead of disabling SELinux completely, you can consider switching the mode to permissive. When in permissive mode SELinux will log any actions or programs that would be actually blocked when it is set up in enforcing mode. This is good for troubleshooting any problems that may arise when you have SELinux enabled on your CentOS 7 VPS. To enable permissive mode in SELinux, edit the /etc/sysconfig/selinux file as described in the step above and change the following line:
SELINUX=enforcing
to
SELINUX=permissive
Save the changes and check the SELinux status again.
It is recommended to have SELinux enabled on your server unless it is absolutely necessary to be disabled or set in permissive mode, as SELinux deeply enhances the security of your system. Please note that it is not an all-in-one security solution which you can rely on in all situations. If you want to learn more about SELinux and the security features it provides, we would recommend to read the SELinux documentation.
Of course, you don’t need to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to disable SELinux on CentOS 7 for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post on how to disable SELinux on CentOS 7, please share it with your friends on the social networks using the buttons below, or simply leave a reply down in the comments section. Thank you.