How to disable SELinux on CentOS 8

Security Enhanced Linux or SELinux is a security mechanism that is widely built into the Linux kernel of the RHEL series.

SELinux adds an extra layer of security to the system, which allows administrators and users to control access to objects based on policy rules.

SELinux policy rules specify how processes and users interact with each other, and how processes and users interact with files. If there is no obvious rule to allow access to an object, for example: a process wants to open a file, this access is forbidden.

SELinux has three modes of operation:

Enforcing: SELinux allows access based on SELinux policy rules
Permissive: If SELinux is running in enforcing mode, then SELinux only records the log of prohibited actions. This mode is useful when debugging and creating new policy rules.
Disabled: Do not load any SELinux policies and do not record any information.

In CentOS 8, SELinux is enabled by default and is in enforcing mode. It is strongly recommended to keep SELinux in enforcing mode. Of course, sometimes it may interrupt the running of some applications, and you need to set it to permissive mode or disable it completely.

In this tutorial, we will explain how to disable SELinux on CentOS 8.

1. Prerequisites##

Only the root user or a user with sudo permission can modify the SELinux mode.

Two, check SELinux mode##

Use the sestatus command to check SELinux operating status and operating mode:

sestatus

SELinux status:                 enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory:/etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:actual(secure)
Max kernel policy version:31

The above output shows that SELinux is enabled and set in enforcing mode.

Third, modify SELinux mode to Permissive

When enabled, SELinux can be set to enforcing or permissive mode. You can temporarily change the mode to permissive with the following command:

sudo setenforce 0

In any case, this modification is only valid for the currently running session, and will not be persisted, and will become invalid after restart.

To permanently set SELinux mode to permissive mode, please follow the steps below:

Open the /etc/selinux/config file and set the SELINUX mode to permissive:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#  enforcing - SELinux security policy is enforced.
#  permissive - SELinux prints warnings instead of enforcing.
#  disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
#  targeted - Targeted processes are protected,
#  minimum - Modification of targeted policy. Only selected processes are protected.
#  mls - Multi Level Security protection.
SELINUXTYPE=targeted

Save the file and run the setenforce 0 command to change the current SELinux mode to permissive.

sudo shutdown -r now

Fourth, disable SELinux

Compared to disabling SELinux, we strongly recommend that you change the mode to permissive. Disable SELinux only if your application is running well.

Perform the following steps to permanently disable SELinux on your CentOS 8 system:

Open the /etc/selinux/config file and modify the value of SELINUX to disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#  enforcing - SELinux security policy is enforced.
#  permissive - SELinux prints warnings instead of enforcing.
#  disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#  targeted - Targeted processes are protected,
#  minimum - Modification of targeted policy. Only selected processes are protected.
#  mls - Multi Level Security protection.
SELINUXTYPE=targeted

Save the file and restart the system:

sudo shutdown -r now

When the system restarts, use the sestatus command to verify whether SELinux has been disabled:

sestatus

The output will look like this:

SELinux status:                 disabled

Five, summary##

SELinux is a mechanism to ensure system security by implementing mandatory access control (MAC). SELinux is enabled by default on CentOS 8 systems, but it can also be disabled by editing the configuration file and restarting the system.

To learn more about the powerful features of SELinux, please visit: CentOS SELinux guide.