This is a quick post regarding how to permanently disable SELinux on CentOS 8.
Table of Contents:
- What is SELinux?
- SELinux Operating Modes
- SELinux Features
- Check Status of SELinux
- Temporarily Set SELinux mode
- Permanently Set SELinux mode
- Permanently Disable SELinux
What is SELinux? :
SELinux (Security-Enhanced Linux) is a Linux kernel module that provides a mechanism to enforce access control security policies including MAC (Mandatory Access Control).
SELinux adds another layer of security to the Linux server by allowing system administrators to control access to operating system objects based on rules based policies.
In CentOS 8 operating system, SELinux runs by-default in enforcing mode with targeted policy.
Although it is not recommended to disable SELinux but there are situations where we need to disable it explicitly. For example when we are installing a software that does not support SELinux.
SELinux Operating Modes:
SELinux has three modes of operations.
- Enforcing: It is the default mode. Access is granted based on SELinux policies.
- Permissive: In this mode SELinux does not restrict access to any objects. Besides that it only logs violations of SELinux policies. This mode is good for debugging purposes.
- Disabled: Neither SELinux policy is enforced nor any messages are logged.
SELinux Features:
Some of the SELinux features are.
- Well-defined policy interfaces
- Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
- Individual labels and controls for kernel objects and services
- Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
- Controls over process initialization and inheritance, and program execution
- Controls over file systems, directories, files, and open file descriptors
- Controls over sockets, messages, and network interfaces
- Default-deny policy (anything not explicitly specified in the policy is disallowed)
Check Status of SELinux:
SELinux is by-default enabled on all installations of CentOS 8 operating system. But it can be disabled explicitly by a System Administrator.
We can run getenforce command, to check the current mode of SELinux.
# getenforce
Enforcing
To check the detailed status of the SELinux on the server, we can use following Linux command.
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
Temporarily Set SELinux mode:
We can temporarily (uptill next system reboot) switch SELinux modes between enforcing and permissive.
Permissive mode is good for generating SELinux security violation logs to create a custom SELinux policy.
Permissive mode is also useful to check if SELinux is blocking access to our processes or files in enforcing mode (e.g. we have configured an Apache web server on a custom port and it is not working).
Following Linux command is used to change SELinux mode to permissive.
# setenforce 0
Check current mode of SELinux again.
# getenforce
Permissive
Change SELinux mode back to enforcing.
# setenforce 1
Permanently Set SELinux mode:
If we require to set SELinux mode permanently to permissive then we have to set it in SELinux configuration file as well. So, on the next boot the SELinux will start in permissive mode.
# sed -i s/^SELINUX=.*$/SELINUX=permissive/ /etc/selinux/config # setenforce 0
Permanently Disable SELinux:
It is not possible to disable SELinux temporarily while a CentOS server is running. We must disable SELinux via its configuration file, so on next system reboot the SELinux won't be enable anymore.
# sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config # systemctl reboot
After reboot, check the current status of SELinux.
# sestatus
SELinux status: disabled
SELinux has been permanently disabled on our CentOS 8 server.