• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

The Geek Diary

HowTos | Basics | Concepts

  • Solaris
    • Solaris 11
    • SVM
    • ZFS
    • Zones
    • LDOMs
    • Hardware
  • Linux
    • CentOS/RHEL 7
    • RHCSA notes
    • SuSE Linux Enterprise
    • Linux Services
  • VCS
    • VxVM
  • Interview Questions
  • oracle
    • ASM
    • mysql
    • RAC
    • oracle 12c
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Hadoop
    • Hortonworks HDP
      • HDPCA
    • Cloudera
      • CCA 131

How to Disable or set SELinux to Permissive mode

By admin

Question : How to fully disable SELinux (Security Enhanced Linux) or set it to “permissive” mode

Answer :
SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :

1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Actions contrary to the policy are only logged in the audit log.
3. Disabled : The SELinux is disabled entirely.
To completely disable SELinux, use either of these methods:

1. Edit /etc/selinux/config (reboot required)
Change the SELINUX value to SELINUX=disabled in the file /etc/selinux/config.

# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reboot the server.

# shutdown -r now

2. Append kernel boot options
Edit the kernel boot line in /boot/grub/grub.conf and append selinux=0 to the kernel boot options. For example:

title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet selinux=0
initrd /initrd-2.6.9-42.ELsmp.img

Reboot the server.

# shutdown -r now

To set SELinux to Permissive mode, use either of these methods:
1. Set SELinux mode to Permissive temporary (without reboot)
The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:

# setenforce 0

Use the getenforce command to view current SELinux mode:

# getenforce
Permissive

2. Setting SELinux to Permissive mode permanently
a. Edit /etc/selinux/config
Change the SELINUX value to “SELINUX=permissive”

# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

b. Append kernel boot options
Edit the kernel boot line and append “enforcing=0” to the kernel boot options (Assuming SELinux is not set to disabled as in section above). For example:

title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet enforcing=0
initrd /initrd-2.6.9-42.ELsmp.img

Reboot the server.

# shutdown -r now

To check the status of SELinux, issue:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
How to Check whether SELinux is Enabled or Disabled

Filed Under: Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL 6 : How to list or install only security updates with yum
  2. iSCSI troubleshooting : Targets Not Detected After Reboot
  3. UNIX / Linux : What is the correct permission of /tmp and /var/tmp directories
  4. How to Configure ACL(Access Control Lists) in Linux FileSystem
  5. How to find all the sparse files in Linux
  6. MySQL Fails to Start Using systemctl On systemd Linux Distributions
  7. How to install git on ubuntu 16.04
  8. Understanding Linux SCSI Reservation
  9. Which network ports are reserved by the Linux Operating System?
  10. How to Enable Password Aging in Linux with NIS

You May Also Like

Primary Sidebar

Recent Posts

  • How to disable firewalld and nftables and use iptables instead in CentOS/RHEL 8
  • How to add an Ethernet connection using nmcli in CentOS/RHEL 7
  • How to set the order to load certain modules in CentOS/RHEL 7 and 8
  • How to configure initrd / initramfs to including kernel modules in CentOS/RHEL
  • How to configure systemd.path to trigger an event when any changes made to a directory
  • Archives
  • Contact Us
  • Copyright

© 2019 · The Geek Diary