How to disable SELinux in CentOS / RHEL 7/8 and Alma Linux / Rocky Linux

By Posted on

How to disable SELinux in CentOS / RHEL 7/8 and Alma Linux / Rocky Linux

How to disable SELinux in CentOS / RHEL 7/8 and Alma Linux / Rocky Linux

Ensuring robust server security is paramount for effective server management, but for smaller projects or personal endeavors, there might be a willingness to trade off some aspects of stringent security for convenience. In the Linux ecosystem, several distributions are already equipped with solid security measures. Among these, CentOS 7, RHEL (Red Hat Enterprise Linux) 7/8, Alma Linux, and Rocky Linux are recognized for their dependability in security, largely attributed to their SELinux (Security-Enhanced Linux) multi-level security protection.

However, sometimes, those very security measures can hinder day-to-day tasks or community-driven activities. In such instances, disabling certain security protocols might be necessary. This article guides you on how to disable SELinux in CentOS / RHEL 7/8 and Alma Linux / Rocky Linux, providing both temporary and permanent methods.

What is SELinux?

SELinux is a security enhancement to the Linux kernel. It’s a mandatory access control (MAC) system that provides an additional layer of security by restricting access to specific kernel modules and resources. By default, CentOS 7, RHEL 7/8, Alma Linux, and Rocky Linux incorporate SELinux to offer a heightened level of system security. Other distributions, like Debian, can also implement it, but it’s not enabled by default.

SELinux functions based on specific policies, often referred to as "rules," that either permit or restrict applications from accessing critical system components. Creating these policies can be complex and requires a deep understanding of the system’s operation.

SELinux operates in three distinct states:

  • Enforcing: SELinux is active and enforces its security policies, denying access based on policy rules. This is the default and most secure mode.
  • Permissive: SELinux is active but doesn’t enforce its policies. It logs violations but allows the actions to proceed. This mode is useful for troubleshooting and developing SELinux policies.
  • Disabled: SELinux is completely disabled and doesn’t provide any security enforcement.

Understanding how SELinux works is crucial before deciding whether to disable it.

Disabling SELinux

There are two primary ways to disable SELinux: temporarily or permanently. Each method has its advantages. Temporarily disabling SELinux allows you to test the system without permanently compromising its security posture. Upon system restart, SELinux will automatically revert to its configured state (typically enforcing).

Permanently disabling SELinux, on the other hand, can improve productivity, particularly for personal or medium-sized projects where security concerns are less critical, or where you rely on other security measures. Keep in mind that most Linux distributions, including CentOS 7, RHEL 7/8, Alma Linux, and Rocky Linux, have reasonably robust security policies in place even without SELinux, so this approach may be feasible in certain situations. However, understand the risks involved.

This article provides instructions for both temporary and permanent SELinux deactivation on CentOS 7, RHEL 7/8, Alma Linux, and Rocky Linux. The procedure is identical across these distributions.

Disable SELinux Temporarily on CentOS / RHEL 7/8 and Alma Linux / Rocky Linux

First, establish an SSH connection to your server. Use the following command:

$ ssh your-user@your-server

If you’re using CentOS, RHEL, Alma Linux, or Rocky Linux on your personal computer, open a terminal.

Next, verify the current status of SELinux. You can do this by executing:

$ sestatus

The output will show whether SELinux is enabled and, if so, its current mode (enforcing or permissive).

To temporarily disable SELinux, use these commands:

$ su
$ setenforce 0

The su command switches to the root user. The setenforce 0 command sets SELinux to permissive mode.

Verify the SELinux status again:

$ sestatus

The output should now indicate that SELinux is in permissive mode.

Since this method only temporarily disables SELinux, the changes will be reverted upon a system restart. The primary benefit is that it doesn’t require a reboot to take effect.

Disable SELinux Permanently on CentOS / RHEL 7/8 and Alma Linux / Rocky Linux

To permanently disable SELinux, you need to edit its configuration file. Start by installing the nano text editor (if it’s not already installed):

$ yum install nano

Next, modify the SELinux configuration file:

$ nano /etc/sysconfig/selinux

This file contains the SELinux configuration. To permanently disable SELinux, change the SELINUX variable to disabled:

$ SELINUX=disabled

Save the file by pressing CTRL+O, then exit with CTRL+X. To ensure the changes take effect, reboot the system and then check the SELinux status:

$ reboot
$ sestatus

This confirms that you have successfully disabled SELinux in CentOS / RHEL 7/8 and Alma Linux / Rocky Linux.

Re-enabling SELinux on CentOS / RHEL 7/8 and Alma Linux / Rocky Linux

By enabling SELinux, you can enhance the security of your system, particularly in scenarios where the system is exposed to potentially hostile environments or where sensitive data is stored or processed. It can also be useful in situations where untrusted third-party applications are running on the system.

$ sudo setenforce 1

This command changes the SELinux mode to “enforcing” immediately, but the change will not persist across reboots.

To make the change persistent, edit the SELinux configuration file /etc/selinux/config using a text editor such as nano or vim.

$ sudo nano /etc/selinux/config

Locate the line that starts with SELINUX= and change its value to enforcing.

SELINUX=enforcing

Save the changes to the file and exit the text editor.

After reboot your system for the changes to take effect.

Alternative Solutions to Resolving SELinux Issues

While disabling SELinux is a quick fix, it’s generally not recommended due to the reduced security. Instead of disabling, consider these alternatives:

1. Creating Custom SELinux Policies:

Instead of disabling SELinux completely, a more secure approach is to create custom SELinux policies that allow specific applications or services to function correctly without compromising the overall system security. This involves understanding the specific access denials that SELinux is enforcing and creating rules to grant the necessary permissions.

Explanation: The advantage of this method is that you maintain the benefits of SELinux while allowing necessary functions to operate. This requires understanding SELinux concepts and the specific application requirements.

Steps:

  1. Identify the Denials: Use the audit log to identify the specific SELinux denials that are preventing the application from working. The audit log is typically located at /var/log/audit/audit.log. Use ausearch to search the audit log for relevant denials.

    ausearch -m avc,user_avc,selinux_err -ts today

  2. Create a Custom Policy Module: Use audit2allow to generate a custom policy module based on the audit log entries. This tool automatically creates the necessary SELinux rules.

    ausearch -m avc -ts recent | audit2allow -m my_application > my_application.te

  3. Compile and Install the Policy: Compile the policy module into a loadable module and install it.

    checkmodule -M -m -o my_application.mod my_application.te
semodule_package -m my_application.mod -o my_application.pp
semodule -i my_application.pp

This approach is more involved but provides a much more secure solution than simply disabling SELinux.

2. Using Targeted Policies with semanage:

SELinux has a targeted policy, meaning it focuses on protecting specific processes and files. The semanage command allows administrators to manage these targeted policies without directly editing policy files. This provides a more user-friendly way to adjust SELinux rules.

Explanation: semanage simplifies modifying SELinux policies by providing an abstraction layer. It allows adding, modifying, and deleting SELinux rules for users, roles, types, and ports without deep knowledge of SELinux internals.

Example: Allowing Apache to listen on a non-standard port:

By default, SELinux may prevent Apache (httpd) from listening on ports other than 80 and 443. To allow Apache to listen on port 8080, use semanage:

semanage port -a -t http_port_t -p tcp 8080
  • -a: Adds a new port definition.
  • -t: Specifies the SELinux type (in this case, http_port_t for HTTP ports).
  • -p: Specifies the protocol (TCP).

After running this command, restart Apache for the changes to take effect. This approach is much easier than writing a custom policy from scratch and provides a more secure alternative to disabling SELinux entirely.

Conclusion

While disabling SELinux provides a quick solution to certain problems on CentOS / RHEL 7/8 and Alma Linux / Rocky Linux, it is generally not recommended due to the security implications. Always consider the potential risks before disabling any security feature. Understanding SELinux, creating custom policies, or using tools like semanage are better alternatives.

This article demonstrated how to disable SELinux temporarily or permanently. We also explored two alternative approaches to resolving SELinux-related issues without compromising security. We hope this tutorial has been helpful in understanding how to disable SELinux in CentOS / RHEL 7/8 and Alma Linux / Rocky Linux and how to consider alternative methods.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *