Is SELinux hindering your daily software access and usage on CentOS 7? You can easily disable it temporarily or permanently to avoid such issues. Find out how to disable SELinux on CentOS 7 with only a few commands.
What is SELinux?
Security-Enhanced Linux or SELinux is a security feature built into the Linux kernel. It provides an additional layer of security by enforcing security policies on processes, users, and files within a system.
SELinux is like a guard that watches over the various processes and users on a Linux system. It helps ensure that these users and processes don’t do anything that could potentially compromise the security of the system. It does this by setting strict rules and permissions.
If a process or user tries to do something that is not allowed by the security policy, SELinux will block the action and prevent it from happening.
SELinux is enabled by default on CentOS and RHEL. Regular users often have to use software that may not support SELinux. One way to overcome this is to disable it to continue using such applications.
So let’s see in the next sections how you can do that.
Prerequisites to Disable SELinux on CentOS 7
These are all the requirements you need to disable SELinux on CentOS 7:
- Sudo privilege
- Linux terminal or command line interface
- A text editor (We will use nano for this tutorial)
Disabling SELinux on CentOS 7
There are two ways you can disable SELinux—temporarily and permanently. A temporary disablement stays only for that session and goes away when you reboot the system. A permanent disablement means it stays disabled until you enable it.
Disable Temporarily
To temporarily disable SELinux, we need to change its mode. SELinux has three modes:
- Enforcing: Security policies are fully in action.
- Permissive: Security policies are there, but no access is denied.
- Disabled: No security policies or rules are applied.
First, we need to check in which mode it’s currently in. For that, use the command as seen below:
$ sestatus
Output:
Another way to check the current SELinux status is by using the following command:
$ getenforce
Output:
You can also do so using the cat
command:
$ cat /etc/selinux/config
Output:
As you can see in the screenshot above, the status is ‘enabled’ and the current mode is ‘enforcing’, as expected. But we need to set the mode to ‘Permissive’. We can do that by typing this command:
$ sudo setenforce Permissive
Now check the mode again with getenforce
It should now say ‘Permissive’. Like what you’re seeing in this example:
To set it to ‘enforcing’ again, you just need to use the setenforce
command with the ’Enforcing’ value, like this:
$ sudo setenforce Enforcing
Output:
You also have the option to use ‘0’ and ‘1’ instead of the full mode name. ‘0’ for ‘Permissive’ mode and 1 for ‘Enforcing’ mode. Using this below command will set the mode to ‘Permissive’:
$ sudo setenforce 0
Output:
Disable Permanently
If you want to permanently disable SELinux on CentOS 7, you must edit its configuration files. For that, we need a text editor. We will open the file in nano. If you don’t have nano installed, use this command to install it:
$ sudo yum install nano
After that, open the SELinux configuration file in nano with this command:
$ sudo nano /etc/sysconfig/selinux
You should see this interface below (except for the red rectangle):
You can read about the different modes to understand what happens if SELinux is set to that mode.
Notice that SELinux is set to ‘enforcing’ mode. We need to change that. To disable SELinux permanently on CentOS 7, we need to change this value to ‘disabled’. Input this to do just that:
SELINUX=disabled
Scroll down to that line. Remove ‘enforcing’ and then write ‘disabled’. The output should look like this:
Now save your changes by hitting “Ctrl + O”. And then exit nano by pressing “Ctrl + X”.
Remember, we’re not done yet. To make the changes take effect, we need to reboot the system. Reboot your device with the following command:
$ sudo reboot now
Finally, let’s check if the change has taken place using the getenforce
command. This is what should appear on your screen:
To double-check, let’s use the sestatus
command, too.
$ sestatus
This is what should appear on your screen:
And just like that SELinux is disabled permanently. If you want it to get back working, you’ll need to edit the same file and change the value to ‘enforcing’ via the following input:
SELINUX=enforcing
Once done, don’t forget to reboot your computer afterward.
Should You Disable SELinux on CentOS 7?
We don’t recommend disabling SELinux on a production system. Since it provides an additional layer of protection by enforcing Mandatory access controls (MAC) on all processes and files.
It also prevents malicious or unauthorized access to sensitive data and protects against certain types of attacks, such as privilege escalation. While disabling SELinux can make dealing with some software a bit more convenient, it comes at a high price—compromising your system’s security.
If you do need to disable SELinux, you should only do so temporarily. Then re-enable it as soon as you can.
For a permanent disablement, it is important to understand the implications and to have a good reason for doing so. For inexperienced users, it’s more harm than good.
If you are experiencing problems with SELinux, it’s a better idea to try to troubleshoot and fix the issue rather than simply disabling it. There are many resources available online to help you understand and work with SELinux, including the SELinux FAQ and the SELinux user guide.
Final Thoughts
This short tutorial shows you how to disable SELinux on CentOS 7. We covered what SELinux is and what role it plays and showed you both ways to temporarily and permanently disable it.
We also illustrated the good side and the bad side of disabling SELinux. Of course, the final decision is yours but be sure to read that part carefully before taking action. Facing any problems following this tutorial? Let us know in the comments below.
If this guide helped you, please share it.