[vc_row][vc_column][vc_column_text]Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system.
SELinux is a security mechanism built into the Linux kernel used by CentOS and RHEL-based distributions.
SELinux has three modes of operation:
- Enforcing: SELinux allows access based on SELinux policy rules.
- Permissive: SELinux only logs actions that would have been denied if running in enforcing mode. This mode is useful for debugging and creating new policy rules.
- Disabled: No SELinux policy is loaded, and no messages are logged.
By default, in CentOS 8, SELinux is enabled and in enforcing mode. It is highly recommended to keep SELinux in enforcing mode. However, sometimes it may interfere with the functioning of some application, and you need to set it to the permissive mode or disable it completely.
Checking the SELinux Mode
Use the sestatus command to check the status and the mode in which SELinux is running:
[simterm]
sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
[/simterm]
Changing SELinux Mode to Permissive
When enabled, SELinux can be either in enforcing or permissive mode. You can temporarily change the mode from targeted to permissive with the following command:
[simterm]
sudo setenforce 0
[/simterm]
However, this change is valid for the current runtime session only and do not persist between reboots.
To permanently set the SELinux mode to permissive, follow the steps below:
Open the /etc/selinux/config file and set the SELINUX mod to permissive:
[simterm]
/etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
[/simterm]
Save the file and run the setenforce 0 command to change the SELinux mode for the current session:
[simterm]
sudo shutdown -r now
[/simterm]
Disabling SELinux
Instead of disabling SELinux, it is strongly recommended to change the mode to permissive. Disable SELinux only when required for the proper functioning of your application.
Perform the steps below to disable SELinux on your CentOS 8 system permanently:
Open the /etc/selinux/config file and change the SELINUX value to disabled:
[simterm]
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
[/simterm]
Save the file and reboot the system:
[simterm]
sudo shutdown -r now
[/simterm]
When the system is booted, use the sestatus command to verify that SELinux has been disabled:
[simterm]
sestatus
[/simterm]
The output should look like this:
[simterm]
SELinux status: disabled
[/simterm][/vc_column_text][/vc_column][/vc_row]
