Cyberithub

How to Enable or Disable SElinux Temporarily or Permanently on RedHat/CentOS 7/8

by

In this article, we will look into how to enable or disable SELinux Temporarily or Permanently on RedHat/CentOS 7/8. SELinux is a security feature that you will find enabled in many Organizations to protect its resources from Unauthorized access. It is mostly used along with firewall to enhance the OS Security features.

Hence it is important to understand the methods through which one can enable or disable SELinux temporarily or permanently as per its requirement. We will understand both options through below examples.

Modes of SELinux

a)Enforcing: In this mode, SELinux will enforce its policies.

b)Permissive: In this mode, SELinux will show warnings but it won’t enforce policies.

c)Disabled: In this mode, SELinux will stand in disable mode.

Security Policy of SELinux

a)Targeted: Only targeted processes will be protected under this policy.

b)Minimum: It will only provide protection to selected processes.

c)MLS: It provides multi layer security protection.

How to Enable or Disable SElinux Temporarily or Permanently on RedHat/CentOS 7/8 1

How to Enable or Disable SELinux Temporarily or Permanently 

Also Read: Best way to disable SELinux temporarily on RedHat/CentOS 7

1. Check if SELinux is Enabled or not using sestatus command

You can check selinux status using sestatus command as shown below. In the below output you can see that SELinux status is showing enabled and SELinux filesystem is mounted on /sys/fs/selinux.

Configuration path can be found under /etc/selinux which is also know as SELinux root directory. Current policy is set to targeted which is the default policy in CentOS or RedHat Based Systems. You can also see the current mode is set to enforcing which allows SELinux to enforce its policies.

[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

2. Enable SELinux Temporarily Using Setenforce Command

If you want to enable SELinux temporarily, then you can do it through by passing mode name or mode value as parameter through setenforce command. Here we are passing mode name as parameter to setenforce command as shown below. Then we need to check if selinux is enabled or not using sestatus command.

setenforce permissive – Set SELinux status to permissive mode

setenforce enforcing – Set SELinux status to enforcing mode

[root@localhost ~]# setenforce enforcing
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

Also you can temporarily disable SELinux by another method where you can pass the mode value as parameter instead of mode name as shown below. After that you can run sestatus command to check if SELinux is enabled or not.

setenforce 0 – Set SELinux status to permissive mode

setenforce 1 – Set SELinux Status to Enforcing mode

[root@localhost ~]# setenforce 0
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

Another method that can be use to enable SELinux temporarily is by using SELinux Kernel Parameters. You can pass value 1 to /sys/fs/selinux/enforce parameter to enable enforcing mode as shown in below command.

[root@localhost ~]# echo 1 > /sys/fs/selinux/enforce

Then you can again check if SELinux is Enabled or not using sestatus command. Now you can see current mode is set to enforcing instead of permissive.

[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

 

3. Enable SELinux Permanently Using Configuration File

If you want to enable SELinux permanently then you need to do it through SELinux configuration file. You can generally find configuration file in /etc/selinux path. Here you need to set the value of SELINUX to enforced to permanently enable SELinux.

[root@localhost ~]# vi /etc/selinux/config

SELINUX=enforced

Press Esc. Save and exit by using wq! . Then, Restart Your System using init 6 command as shown below.

[root@localhost ~]# init 6

or, you can also reboot your system using reboot command.

[root@localhost ~]# reboot

Now you can check selinux status again and check if SELinux is Enabled or not.

[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

4. Disable SELinux Temporarily Using Setenforce Command

If you want to disable SELinux temporarily, then either you can do it through by passing mode name or mode value as parameter through setenforce command. Here we are passing mode name as parameter to setenforce command as shown below. Then we need to check if selinux is enabled or not using sestatus command.

setenforce permissive – Set SELinux status to permissive mode

setenforce enforcing – Set SELinux status to enforcing mode

[root@localhost ~]# setenforce permissive
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

Also you can temporarily disable SELinux by another method where you can pass the mode value as parameter instead of mode name as shown below. After that you can run sestatus command to check if SELinux is enabled or not.

setenforce 0 – Set SELinux status to permissive mode

setenforce 1 – Set SELinux Status to Enforcing mode

[root@localhost ~]# setenforce 0
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

Another method that can be used to disable SELinux temporarily is by using SELinux Kernel Parameters. You can pass value 0 to /sys/fs/selinux/enforce parameter to remove enforcing mode as shown in below command.

[root@localhost ~]# echo 0 > /sys/fs/selinux/enforce

Then you can again check if SELinux is Enabled or not using sestatus command. Now you can see current mode is set to permissive instead of enforcing.

[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

 

5. Disable SELinux Permanently Using Configuration File

If you want to disable SELinux permanently then you need to do it through SELinux configuration file. You can generally find configuration file in /etc/selinux path. Here you need to set the value of SELINUX to disabled to permanently disable SELinux.

It is also important to note here that from /etc/selinux/config file you get below three options in which disabled option was not available with setenforce command.

a)enforcing

b)permissive

c)disabled 

[root@localhost ~]# vi /etc/selinux/config

SELINUX=disabled

Press Esc. Save and exit by using wq! . Then, Restart Your System using init 6 command as shown below.

[root@localhost ~]# init 6

or, you can also reboot your system using reboot command.

[root@localhost ~]# reboot

Now you can check selinux status again and check if SELinux is Enabled or not.

[root@localhost ~]# sestatus
SELinux status: disabled

 

Also Read: What is SELinux

Leave a Comment