How to Permanently Disable SELinux in CentOS 8

Learn how to permanently disable SELinux in CentOS 8 with this step-by-step guide. Follow our instructions to modify SELinux configuration files and ensure it remains disabled across system reboots. #centlinux #linux #selinux

What is SELinux?

SELinux (Security-Enhanced Linux) is a Linux kernel module that provides a mechanism to enforce access control security policies including MAC (Mandatory Access Control).

SELinux adds another layer of security to the Linux server by allowing system administrators to control access to operating system objects based on rules based policies.

In CentOS 8 operating system, SELinux runs by-default in enforcing mode with targeted policy.

Although it is not recommended to disable SELinux but there are situations where we need to disable it explicitly. For example when we are installing a software that does not support SELinux.

Read Also: How to Permanently Disable SELinux in Rocky Linux 9

SELinux Operating Modes:

SELinux has three modes of operations.

• Enforcing: It is the default mode. Access is granted based on SELinux policies.
• Permissive: In this mode SELinux does not restrict access to any objects. Besides that it only logs violations of SELinux policies. This mode is good for debugging purposes.
• Disabled: Neither SELinux policy is enforced nor any messages are logged.

SELinux Features:

Some of the SELinux features are.

• Well-defined policy interfaces
• Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
• Individual labels and controls for kernel objects and services
• Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
• Controls over process initialization and inheritance, and program execution
• Controls over file systems, directories, files, and open file descriptors
• Controls over sockets, messages, and network interfaces
• Default-deny policy (anything not explicitly specified in the policy is disallowed)

Recommended Training: Complete Linux Training Course to Get Your Dream IT Job 2025 from Imran Afzal

Check SELinux Status

SELinux (Security-Enhanced Linux) is enabled by default on all installations of the CentOS 8 operating system to provide mandatory access control (MAC) for enhanced security. It enforces policies that restrict unauthorized access to system resources, reducing the risk of security breaches. However, in some cases, certain applications or custom configurations may require SELinux to be disabled to function properly.

A system administrator has the ability to explicitly disable SELinux if necessary. Before making any changes, it is important to check the current SELinux mode to determine whether it is operating in enforcing, permissive, or disabled mode.

This can be done by running the getenforce command, which returns the current SELinux status. If changes are needed, SELinux can be set to permissive mode (where it logs warnings but does not enforce policies) or completely disabled to remove all restrictions.

# getenforce
Enforcing

To obtain a detailed status report of SELinux on a CentOS 8 server, we can use a specific Linux command that provides comprehensive information about its current state. This command displays key details such as the current SELinux mode (Enforcing, Permissive, or Disabled), the loaded policy type, and the SELinux policy file locations.

By running this command, system administrators can gain deeper insights into how SELinux is configured and whether any custom policies or modifications have been applied. Understanding the detailed SELinux status helps in troubleshooting security-related issues and determining whether changes are required to optimize system performance or application compatibility.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

Temporarily Set SELinux mode

We can temporarily switch SELinux modes between enforcing and permissive until the next system reboot. This allows system administrators to test applications and troubleshoot security policy violations without making permanent changes to the system’s SELinux configuration.

Permissive mode is particularly useful when debugging SELinux-related access issues, as it does not enforce policies but still logs security violations. This mode helps in generating SELinux alerts, which can be analyzed to create a custom SELinux policy for applications that require special permissions.

For example, if an Apache web server is configured on a custom port but fails to start under enforcing mode, switching to permissive mode allows us to check if SELinux is blocking access to the process or files. This can help determine whether additional SELinux rules or policy modifications are needed to allow the service to function correctly.

To change the SELinux mode to permissive temporarily, a specific Linux command can be executed. However, this change will only last until the system is rebooted, after which SELinux will revert to its default mode as defined in its configuration file.

# setenforce 0

After making changes to SELinux, it is important to verify the current mode to ensure that the modifications have been applied correctly. Checking the SELinux mode again helps confirm whether the system is running in enforcing, permissive, or disabled mode. This step is crucial, especially after switching between modes or troubleshooting access issues, as it ensures that the desired security level is in effect.

By running a specific Linux command, administrators can retrieve real-time information about the active SELinux mode. If the expected mode is not set, further investigation or additional configuration adjustments may be required. Regularly checking the SELinux status is a best practice for maintaining a secure and well-functioning server environment.

# getenforce
Permissive

To restore SELinux mode back to enforcing, we need to execute a specific Linux command. Enforcing mode ensures that all SELinux security policies are actively applied, restricting unauthorized access and protecting system resources.

Switching SELinux back to enforcing is essential after troubleshooting or testing in permissive mode, as it reactivates the mandatory access control (MAC) rules that help secure the server. This step is particularly important in production environments where security must be strictly maintained to prevent unauthorized actions or policy violations.

After changing the SELinux mode, it is recommended to verify the status using a system command to confirm that enforcing mode is now active. If SELinux is not behaving as expected, reviewing the system logs and security contexts of affected files or processes may help identify and resolve any lingering issues.

# setenforce 1

Read Also: How to setup Central Logging Server in CentOS 7

Permanently Set SELinux mode

If we need to set SELinux mode permanently to permissive, we must modify the SELinux configuration file to ensure that the system boots into permissive mode every time it restarts. Unlike temporarily changing the mode, which only lasts until the next reboot, updating the configuration file ensures that SELinux consistently starts in permissive mode after every system restart.

Setting permissive mode permanently is useful when running applications or services that may face access restrictions under enforcing mode. It allows the system to log SELinux security violations without blocking access, making it easier for administrators to analyze issues and create custom policies if needed.

Once the SELinux configuration file is updated, a system reboot is required for the changes to take effect. After rebooting, it is recommended to verify the SELinux mode to confirm that the system is now running in permissive mode as intended.

# sed -i s/^SELINUX=.*$/SELINUX=permissive/ /etc/selinux/config
# setenforce 0

Permanently Disable SELinux in CentOS 8

It is not possible to disable SELinux temporarily while a CentOS server is running. We must disable SELinux via its configuration file, so on next system reboot the SELinux won’t be enable anymore.

# sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config
# systemctl reboot

After reboot, check the current status of SELinux.

# sestatus
SELinux status:                 disabled

SELinux has been permanently disabled on our CentOS 8 server.

Final Thoughts

Disabling SELinux permanently in CentOS 8 ensures that security policies enforced by SELinux no longer interfere with system configurations and application behavior. While SELinux provides an additional layer of security, some applications or custom configurations may require it to be disabled.

By modifying the SELinux configuration file and setting it to permissive or disabled, you can prevent SELinux from enforcing policies after a system reboot. However, it is important to evaluate the security implications before permanently disabling SELinux, as it plays a crucial role in protecting the system from unauthorized access and potential threats.

If SELinux must be disabled, consider implementing alternative security measures, such as firewall rules and access controls, to maintain system integrity.

Optimize your cloud infrastructure and secure your servers with my AWS and Linux administration services. Let’s ensure your systems run smoothly. Connect with me on Fiverr now!

FAQs

1. What is SELinux, and why is it enabled by default in CentOS 8?
SELinux (Security-Enhanced Linux) is a security framework that enforces access controls to protect the system from unauthorized modifications. It is enabled by default in CentOS 8 to enhance security and prevent potential vulnerabilities.

2. Why would someone want to disable SELinux in CentOS 8?
Some applications and services may not function properly with SELinux enabled. Disabling SELinux can help avoid permission-related issues, especially in custom or third-party software deployments.

3. What is the difference between permissive and disabled SELinux modes?
In permissive mode, SELinux does not enforce security policies but logs warnings. In disabled mode, SELinux is completely turned off, and no security policies are applied.

4. How do I confirm that SELinux has been permanently disabled?
After modifying the SELinux configuration file and rebooting the system, you can check the current SELinux status using a system command to verify if it is disabled.

5. What are the security risks of disabling SELinux permanently?
Disabling SELinux removes a critical security layer, making the system more vulnerable to unauthorized access and exploits. If SELinux must be disabled, alternative security measures, such as strict firewall rules and access controls, should be implemented.