CentLinux | Learn How to Install CentOS/Rocky Linux Servers

Monday, May 22, 2023

How to Permanently Disable SELinux in Rocky Linux 9

In this Linux tutorial, you will learn how to permanently disable SELinux in Rocky Linux 9 or other Red Had based Linux distributions.


What is SELinux?:

SELinux stands for Security-Enhanced Linux. It is a security feature implemented in certain Linux distributions, including Red Hat Enterprise Linux (RHEL), Fedora, CentOS, and others. SELinux provides an additional layer of security by enforcing mandatory access control (MAC) policies.

MAC is a security model that allows administrators to define fine-grained access controls for various resources, such as files, processes, and network ports. Unlike traditional discretionary access control (DAC), where users and programs have some control over access rights, MAC policies define strict rules that cannot be overridden by users or processes.

SELinux operates by assigning security labels, known as security contexts, to various system resources. These labels contain information about the resource's identity and security attributes. Each process and file on the system is assigned a context, and SELinux uses these contexts to determine whether a particular operation should be allowed or denied.

SELinux policies are configured using a set of rules that specify how processes and objects interact and what actions are permitted. These policies are typically written in a language called SELinux Policy Language (SELinux policy modules) and are loaded into the kernel at system boot time.

By enforcing strict access controls, SELinux helps mitigate the impact of security vulnerabilities and reduce the risk of unauthorized access or malicious actions. It has proven to be effective in preventing various types of attacks, including privilege escalation, unauthorized file access, and network-based exploits.

However, SELinux can be complex to configure and troubleshoot. It requires careful consideration and testing to ensure that the policies do not interfere with legitimate operations or applications. In some cases, administrators may need to adjust or customize SELinux policies to accommodate specific requirements or applications.

Overall, SELinux provides an additional layer of security for Linux systems, making them less susceptible to attacks and unauthorized access.


Permanently Disable SELinux:

Note down the Linux OS and Kernel versions, that are being used in this tutorial.

# cat /etc/rocky-release
Rocky Linux release 9.2 (Blue Onyx)

# uname -r

In most Linux distributions, SELinux by default runs in Enforcing mode.

You can verify it by using sestatus command.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

To disable SELinux in Red Hat Linux 9 based distros, you need grubby command.

Grubby command is already installed on Minimal installed Rocky Linux servers.

However, you can also install grubby, if it is not present on your Linux OS.

# dnf install -y grubby

Execute following command to permanently disable SELinux.

# grubby --update-kernel ALL --args selinux=0

Reboot your machine now.

# reboot

Again verify the status of SELinux by using sestatus command.

# sestatus
SELinux status:                 disabled

SELinux has been permanently disabled.



In this Linux tutorial, you have learned how to permanently disable SELinux in Rocky Linux 9 or other Red Hat based Linux distributions. If you are new to Linux command-line, then we strongly recommend that you should attend online training: Linux command line for beginners

If you find this article useful? Consider supporting us by Buy Me A Coffee

© 2023 CentLinux. All Rights Reserved.