Security Enhanced Linux (SELinux) is enabled and running in enforcing mode by default in CentOS/RHEL based Linux operating systems, and with good reason as it increases overall system security.
Despite this there may be times when you want to temporarily or permanently disable SELinux, which is what we’ll cover here.
Note: SELinux is incredibly valuable as part of an overall Linux system security strategy, and we recommend leaving it enabled in enforcing mode in production environments where possible. If a particular application or package does not work properly with SELinux customized allowances can be made which is the preferred option compared to simply disabling the whole thing.
First off, a quick overview of the three different SELinux modes. SELinux can be in enforcing, permissive, or disabled mode.
This is the default. In enforcing mode, if something happens on the system that is against the defined policy, the action will be both blocked and logged.
This mode will not actually block or deny anything from happening, however it will log anything that would have normally been blocked in enforcing mode. It’s a good mode to use if you perhaps want to test a Linux system that has never used SELinux and you want to get an idea of any problems you may have. No system reboot is needed when swapping between permissive and enforcing modes.
Disabled is completely turned off, nothing is logged at all. In order to swap to the disabled mode, a system reboot will be required. Additionally if you are switching from disabled mode to either permissive or enforcing modes a system reboot will also be required.
View Current SELinux Status
As mentioned CentOS/RHEL use SELinux in enforcing mode by default, there are a few ways that we can check and confirm this. My favourites are with the ‘getenforce’ and ‘sestatus’ commands.
[[email protected] ~]# getenforce Enforcing [[email protected] ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
As shown above both of these show that we are currently in enforcing mode.
Change SELinux Mode
There are also many ways that we can change the mode of SELinux, with both runtime only options or permanent settings that persist on reboot.
SELinux Runtime Configuration
One of the fastest ways to switch between enforcing and permissive modes is with the ‘setenforce’ command. We can use ‘setenforce 0’ to swap to permissive mode, or ‘setenforce 1’ to swap to enforcing mode.
[[email protected] ~]# getenforce Enforcing [[email protected] ~]# setenforce 0 [[email protected] ~]# getenforce Permissive [[email protected] ~]# setenforce 1 [[email protected] ~]# getenforce Enforcing
Note that this only changes the runtime setting, if you perform a system reboot the option stored in the /etc/selinux/config file will be used at next boot. We cannot disable selinux at runtime, as swapping to or from the disabled mode requires a system reboot.
SELinux Persistent Configuration
We can edit the /etc/selinux/config text file with our persistent setting, either enforcing, permissive, or disabled. By default this file appears as shown below.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
We can simply edit the SELINUX variable between enforcing, permissive, or disabled, as outlined in the comments of the file. After editing the file the changes will not be in place immediately and will only change after system reboot.
So you have something that’s not working with SELinux enforcing mode, rather than setting SELinux to permissive or even disabled, we can troubleshoot and investigate the problem to try and fix it which is better than turning the whole thing off. Turning SELinux off should be considered a last resort.
First install the setroubleshoot-server package with ‘yum’.
[[email protected] ~]# yum install setroubleshoot-server -y
With this package we get the ‘sealert’ command, which will help us uncover any problems along with display recommended ways of fixing the problem.
In this example I have created an index.html file in the /root directory, and then moved it to /var/www/html for Apache to serve out.
[[email protected] ~]# vim index.html [[email protected] ~]# mv index.html /var/www/html/
However when I try to view the index file in Firefox, the index.html page content does not display and I get the below error in the /var/log/messages file.
Aug 28 00:15:51 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l 284cb2c9-1c2e-4708-a48d-415123f558aa Aug 28 00:15:51 localhost python: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html.#012#012***** Plugin restorecon (99.5 confidence) suggests ************************#012#012If you want to fix the label. #012/var/www/html/index.html default label should be httpd_sys_content_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /var/www/html/index.html#012#012***** Plugin catchall (1.49 confidence) suggests **************************#012#012If you believe that httpd should be allowed getattr access on the index.html file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep httpd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
This is essentially saying that Apache is not able to access the index.html file as it has the incorrect SELinux context. The SELinux context of the file is shown below with the -Z option from ‘ls’.
[[email protected] ~]# ls -laZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 index.html
As this file was created in the /root directory, it has the SELinux context of ‘admin_home_t’ and by default Apache will only serve files with a context of ‘httpd_sys_content_t’. The logs suggest that this can be fixed by running the restorecon command, which will fix the SELinux context of the file, and sure enough it does and the page now loads correctly.
[roo[email protected] ~]# restorecon -v /var/www/html/index.html restorecon reset /var/www/html/index.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Further information is also logged to the /var/log/audit/audit.log file, however the content is not very human readable. This is where the ‘sealert’ command comes into help.
[[email protected] ~]# sealert -a /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/www/html/index.html default label should be httpd_sys_content_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/www/html/index.html
The -a will display all alerts, however it can also be used to view specific codes that may be provided in the /var/log/messages file. Again the recommendation here provides an exact command to run to fix the problem, easy! Hopefully you can start to see that with these techniques there’s usually no real reason to disable SELinux.
As shown it’s pretty easy to change between SELinux modes either persistently or at run time only.
Rather than disabling SELinux, it is always recommended to leave it running in enforcing mode and fix any standalone issues rather than compromising the security of the entire system. This is fairly simple to do with the ‘sealert’ command which comes from the setroubleshoot-server package.