SELinux (Security Enhanced Linux) is a Linux kernel security module that allows administrators and users more control over access controls.
SELinux is a security feature of Linux built into the Linux kernel. It is used to control access to users, files, network resources and applications of a Linux system. SELinux provides extended file system permissions on top of the traditional Linux filesystem permission known as Discretionary Access Control (DAC).
SELinux has three modes/States:
- Enforcing: SELinux allows access based on SELinux policy rules.
- Permissive: SELinux only logs actions that would have been denied if running in enforcing mode.
- Disabled: No SELinux policy is loaded.
By default in CentOS 7, SELinux is enabled and in enforcing mode. In this tutorial we will show you how to disable SELinux on CentOS 7 systems.
Checking the Current Status & Mode of SELinux
To view the current SELinux status and the SELinux policy that is being used on your system you can use the sestatus
command:
[ansible@localhost ~]$ sestatus
Output:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
You can see from the output above that SELinux is enabled and set to enforcing mode.
Disable SELinux
To temporarily change the SELinux mode, with the following command:
[ansible@localhost ~]$ sudo setenforce 0
This change will be valid for the current runtime session only.
To permanently disable SELinux on your CentOS 7 system, follow the steps below:
1. Open the /etc/selinux/config file and set the SELINUX mod to disabled:
[ansible@localhost ~]$ sudo vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
2.Save the file and reboot your CentOS system.
3.Verify the change with the sestatus
command:
[ansible@localhost ~]$ sestatus
Output:
SELinux status: disabled
Conclusion
In this tutorial, you learned how to permanently disable SELinux on a CentOS 7.
Visit the CentOS SELinux guide and learn more about the powerful features of SELinux.