This is a quick post regarding how to permanently disable SELinux in CentOS 8. #centlinux #linux #selinux
Table of Contents
What is SELinux? :
SELinux (Security-Enhanced Linux) is a Linux kernel module that provides a mechanism to enforce access control security policies including MAC (Mandatory Access Control).
SELinux adds another layer of security to the Linux server by allowing system administrators to control access to operating system objects based on rules based policies.
In CentOS 8 operating system, SELinux runs by-default in enforcing mode with targeted policy.
Although it is not recommended to disable SELinux but there are situations where we need to disable it explicitly. For example when we are installing a software that does not support SELinux.
SELinux Operating Modes:
SELinux has three modes of operations.
- Enforcing: It is the default mode. Access is granted based on SELinux policies.
- Permissive: In this mode SELinux does not restrict access to any objects. Besides that it only logs violations of SELinux policies. This mode is good for debugging purposes.
- Disabled: Neither SELinux policy is enforced nor any messages are logged.
Some of the SELinux features are.
- Well-defined policy interfaces
- Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
- Individual labels and controls for kernel objects and services
- Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
- Controls over process initialization and inheritance, and program execution
- Controls over file systems, directories, files, and open file descriptors
- Controls over sockets, messages, and network interfaces
- Default-deny policy (anything not explicitly specified in the policy is disallowed)
Check Status of SELinux:
SELinux is by-default enabled on all installations of CentOS 8 operating system. But it can be disabled explicitly by a System Administrator.
We can run getenforce command, to check the current mode of SELinux.
# getenforce Enforcing
To check the detailed status of the SELinux on the server, we can use following Linux command.
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
Temporarily Set SELinux mode:
We can temporarily (uptill next system reboot) switch SELinux modes between enforcing and permissive.
Permissive mode is good for generating SELinux security violation logs to create a custom SELinux policy.
Permissive mode is also useful to check if SELinux is blocking access to our processes or files in enforcing mode (e.g. we have configured an Apache web server on a custom port and it is not working).
Following Linux command is used to change SELinux mode to permissive.
# setenforce 0
Check current mode of SELinux again.
# getenforce Permissive
Change SELinux mode back to enforcing.
# setenforce 1
Permanently Set SELinux mode:
If we require to set SELinux mode permanently to permissive then we have to set it in SELinux configuration file as well. So, on the next boot the SELinux will start in permissive mode.
# sed -i s/^SELINUX=.*$/SELINUX=permissive/ /etc/selinux/config # setenforce 0
Permanently Disable SELinux in CentOS 8:
It is not possible to disable SELinux temporarily while a CentOS server is running. We must disable SELinux via its configuration file, so on next system reboot the SELinux won’t be enable anymore.
# sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config # systemctl reboot
After reboot, check the current status of SELinux.
# sestatus SELinux status: disabled
SELinux has been permanently disabled on our CentOS 8 server.
In this guide, you have learned how to permanently disable SELinux in CentOS 8.