Knowledgebase

How do I turn off SELINUX in Redhat or CentOS?

Temporarily switch off enforcement

You can switch the system into permissive mode with the following command:

echo 0 >/selinux/enforce

You'll need to be logged in as root, and in the sysadm_r role:

newrole -r sysadm_r

To switch back into enforcing mode:

echo 1 >/selinux/enforce

In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above.

To check what mode the system is in,

cat /selinux/enforce

which will print a "0" or "1" for permissive or enforcing - probably printed at the beginning of the line of the command prompt.

Permanently Permissive

The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

... just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,


title SE-Linux Test System
	root (hd0,0)
	kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0
	#initrd /boot/initrd-2.4.20-selinux-2003040709.img

 

Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line toSELINUX=disabled:


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

... and then reboot the system.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add selinux=0 at the end. For example,


title SE-Linux Test System
        root (hd0,0)
        kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0
        #initrd /boot/initrd-2.4.20-selinux-2003040709.img

You will have to reboot to disable SELinux, you just can't do it while the system is running.

Re-Enabling SELinux

If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly.

What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by addingselinux=1 to the kernel boot line, then boot into permissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.

After booting into permissive mode, runfixfiles relabel

Alternatively, in Fedora and RedHat Enterprise Linux you can runtouch /.autorelabeland reboot or putautorelabelon the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files.

After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again.

Was this answer helpful?

 Print this Article

Also Read

How to disable cPanel redirection to SSL?

There are times you want to disable automatic to SSL connection while accessing WHM, cPanel,...

Myth: Dedicated IP addresses are better for SEO

Myth: Dedicated IP addresses are better for SEO Below I have pasted a...

How to Install WHM+cPanel on my VPS?

If you are on OpenVZ you can reinstall the OS via VPSManager and select CentOS 5.x+WHM/cPanel (we...

Installing VSFTP FTP Server

Q. How do I configure and install an FTP server in CentOS / RHEL 5 / Fedora Linux server? A....

Installing Minecraft on CentOS VPS

So you want to install Minecraft on your QuickWeb server? here's simple steps. Note: We do have...