How to Permanently Disable SELinux on CentOS 8 - CentLinux

Latest

Sunday, 19 January 2020

How to Permanently Disable SELinux on CentOS 8

How to Permanently Disable SELinux on CentOS 8

This is a quick post regarding how to permanently disable SELinux on CentOS 8. SELinux (Security-Enhanced Linux) is a Linux kernel module that provides a mechanism to enforce access control security policies including MAC (Mandatory Access Control).

SELinux adds another layer of security to the server by allowing sysadmins to control access to objects based on rules based policies.

By-default SELinux runs in enforcing mode with targeted policy on CentOS 8. Although it is not recommended to disable it but there are situations where we need to disable it explicitly. For example when we are installing a software that does not support SELinux.

 

This Article Provides:

     

    SELinux Operating Modes:

    SELinux has three modes of operations.

    • Enforcing: It is the default mode. Access is granted based on SELinux policies.
    • Permissive: In this mode SELinux does not restrict access to any objects. Besides that it only logs violations of SELinux policies. This mode is good for debugging purposes.
    • Disabled: Neither SELinux policy is enforced nor any messages are logged.

     

    SELinux Features:

    Some of the SELinux features are.

    • Well-defined policy interfaces
    • Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
    • Individual labels and controls for kernel objects and services
    • Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
    • Controls over process initialization and inheritance, and program execution
    • Controls over file systems, directories, files, and open file descriptors
    • Controls over sockets, messages, and network interfaces
    • Default-deny policy (anything not explicitly specified in the policy is disallowed)

     

    Check Status of SELinux on CentOS 8:

    SELinux is by-default enabled on all installations of CentOS 8. But it can be disabled explicitly by the sysadmins.

    To check the current mode of SELinux.

    [root@centos-8 ~]# getenforce Enforcing

    To check the detailed status of the SELinux on the server, we can use following command.

    [root@centos-8 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31

     

    Temporarily Set SELinux mode in CentOS 8:

    We can temporarily (till next reboot) switch SELinux modes between enforcing and permissive.

    Permissive mode is good for generating SELinux security violation logs to create a custom SELinux policy.

    Permissive mode is also useful to check if SELinux is blocking access to our processes or files in enforcing mode (e.g. we have configured an Apache HTTP server on a custom port and it is not working).

    Change SELinux mode to permissive.

    [root@centos-8 ~]# setenforce 0

    Check current mode of SELinux now.

    [root@centos-8 ~]# getenforce Permissive

    Change SELinux mode back to enforcing.

    [root@centos-8 ~]# setenforce 1

     

    Permanently Set SELinux mode in CentOS 8:

    If we require to set SELinux mode permanently to permissive then we have to set it in SELinux configuration file as well. So, on the next boot the SELinux will start in permissive mode.

    [root@centos-8 ~]# sed -i s/^SELINUX=.*$/SELINUX=permissive/ /etc/selinux/config [root@centos-8 ~]# setenforce 0

     

    Permanently Disable SELinux on CentOS 8:

    It is not possible to disable SELinux temporarily while a CentOS 8 machine is running. We must disable SELinux via its configuration file, so on next system reboot the SELinux won't be enable anymore.

    [root@centos-8 ~]# sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config [root@centos-8 ~]# systemctl reboot

    After reboot, check the current status of SELinux.

    [root@centos-8 ~]# sestatus SELinux status: disabled

    SELinux has been permanently disabled on CentOS 8 server.

    No comments:

    Post a comment