SELinux, which stands for Security Enhanced Linux, is an extra layer of security control built for Linux systems. The original version of SELinux was developed by the NSA. Other key contributors include Red Hat, which has enabled it by default in their own RHEL and its derivative Linux distributions.
Although SELinux can protect our system through access control for programs and system services, it’s not always necessary to have it enabled. Some users may even find that it interferes with certain programs they try to install. In this case, it’s possible to change the SELinux operational mode from enforcing to either permissive or disabled.
In this tutorial, we’ll go over the step by step instructions to change the SELinux operational mode.
In this tutorial you will learn:
- How to check SELinux operational mode
- How to change SELinux operational mode
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro that uses SELinux |
| Software | SELinux |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to Check SELinux Operational Mode
SELinux has three possible modes that you could see when running the command. They are:
- Enforcing – SELinux is active and enforcing its policy rules.
- Permissive – SELinux permits every thing, but logs the events it would normally deny in enforcing mode.
- Disabled – SELinux is not enforcing rules or logging anything.
We go over checking the SELinux operational mode in more detail in a different tutorial. But the command below is the quickest and easiest way to see what mode SELinux is running in.
$ getenforce Enforcing
How to Change SElinux Operational Mode
Depending on your needs, changing the SELinux mode could involve either changing it to permissive mode, or disabling it entirely. By default, SELinux is set to enforcing.
Setting SELinux to permissive mode will disable all aspects of SELinux except for logging messages. We don’t need to reboot our system for this change to take effect, and we can make the change by executing the following command.
$ sudo setenforce 0
You can verify the change by checking SELinux current mode again, either with the sestatus or getenforce command.
When you reboot the system, SELinux will change back to enforcing mode. If you’d like the change to be permanent, you can use the following step by step instructions to disable SELinux completely or keep it in permissive mode.
- Use nano or your favorite text editor to open the SELinux configuration file located in
/etc/selinux/config. You’ll need to do this with the root account or sudo command.$ sudo nano /etc/selinux/config
- Change the
SELINUX=enforcingline to either “permissive” or “disabled”, depending on the setting you prefer. Then, exit this file after saving your changes to it.SELINUX=disabled
Set the SELINUX directive to disabled to permanently disable it - Once you reboot the system, SELinux will be totally disabled. To avoid restarting now, execute the
setenforce 0command as explained above to get instant results while you wait till the next reboot.$ reboot
After a reboot, SELinux has been disabled completely
To revert this change, follow the same instructions but change SELINUX directive back to “enforcing.”
Alternatively, change a permissive SELinux mode back to enforcing with the following command.
$ sudo setenforce 1
Closing Thoughts
In this guide, we saw how to change the SELinux operational mode on an major Linux distributions, by setting the current mode to either enforcing, permissive, and by disabling SELinux completely.
SELinux is a helpful feature that should only be disabled with prior consideration, or in test environments. Some distributions also have their own recommended alternative to SELinux, for example Ubuntu uses AppArmor. In such a case, SELinux can be safely disabled in favor of the distro’s own security software.
