How To Enable Or Disable SELinux In CentOS/RHEL 7

Security Enhanced Linux (SELinux) is enabled and running in enforcing mode by default in CentOS/RHEL based Linux operating systems, and with good reason as it increases overall system security.

Despite this there may be times when you want to temporarily or permanently disable SELinux, which is what we’ll cover here.

Note: SELinux is incredibly valuable as part of an overall Linux system security strategy, and we recommend leaving it enabled in enforcing mode in production environments where possible. If a particular application or package does not work properly with SELinux customized allowances can be made which is the preferred option compared to simply disabling the whole thing.


SELinux Basics

First off, a quick overview of the three different SELinux modes. SELinux can be in enforcing, permissive, or disabled mode.

  • Enforcing:
  • This is the default. In enforcing mode, if something happens on the system that is against the defined policy, the action will be both blocked and logged.

  • Permissive:
  • This mode will not actually block or deny anything from happening, however it will log anything that would have normally been blocked in enforcing mode. It’s a good mode to use if you perhaps want to test a Linux system that has never used SELinux and you want to get an idea of any problems you may have. No system reboot is needed when swapping between permissive and enforcing modes.

  • Disabled:
  • Disabled is completely turned off, nothing is logged at all. In order to swap to the disabled mode, a system reboot will be required. Additionally if you are switching from disabled mode to either permissive or enforcing modes a system reboot will also be required.

View Current SELinux Status

As mentioned CentOS/RHEL use SELinux in enforcing mode by default, there are a few ways that we can check and confirm this. My favourites are with the ‘getenforce’ and ‘sestatus’ commands.

[root@centos7 ~]# getenforce
Enforcing

[root@centos7 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

As shown above both of these show that we are currently in enforcing mode.

Change SELinux Mode

There are also many ways that we can change the mode of SELinux, with both runtime only options or permanent settings that persist on reboot.

SELinux Runtime Configuration

One of the fastest ways to switch between enforcing and permissive modes is with the ‘setenforce’ command. We can use ‘setenforce 0’ to swap to permissive mode, or ‘setenforce 1’ to swap to enforcing mode.

[root@centos7 ~]# getenforce
Enforcing
[root@centos7 ~]# setenforce 0
[root@centos7 ~]# getenforce
Permissive
[root@centos7 ~]# setenforce 1
[root@centos7 ~]# getenforce
Enforcing

Note that this only changes the runtime setting, if you perform a system reboot the option stored in the /etc/selinux/config file will be used at next boot. We cannot disable selinux at runtime, as swapping to or from the disabled mode requires a system reboot.

SELinux Persistent Configuration

We can edit the /etc/selinux/config text file with our persistent setting, either enforcing, permissive, or disabled. By default this file appears as shown below.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

We can simply edit the SELINUX variable between enforcing, permissive, or disabled, as outlined in the comments of the file. After editing the file the changes will not be in place immediately and will only change after system reboot.

Troubleshooting SELinux

So you have something that’s not working with SELinux enforcing mode, rather than setting SELinux to permissive or even disabled, we can troubleshoot and investigate the problem to try and fix it which is better than turning the whole thing off. Turning SELinux off should be considered a last resort.

First install the setroubleshoot-server package with ‘yum’.

[root@centos7 ~]# yum install setroubleshoot-server -y

With this package we get the ‘sealert’ command, which will help us uncover any problems along with display recommended ways of fixing the problem.

In this example I have created an index.html file in the /root directory, and then moved it to /var/www/html for Apache to serve out.

[root@centos7 ~]# vim index.html
[root@centos7 ~]# mv index.html /var/www/html/

However when I try to view the index file in Firefox, the index.html page content does not display and I get the below error in the /var/log/messages file.

Aug 28 00:15:51 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l 284cb2c9-1c2e-4708-a48d-415123f558aa
Aug 28 00:15:51 localhost python: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html.#012#012*****  Plugin restorecon (99.5 confidence) suggests   ************************#012#012If you want to fix the label. #012/var/www/html/index.html default label should be httpd_sys_content_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /var/www/html/index.html#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that httpd should be allowed getattr access on the index.html file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep httpd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012

This is essentially saying that Apache is not able to access the index.html file as it has the incorrect SELinux context. The SELinux context of the file is shown below with the -Z option from ‘ls’.

[root@centos7 ~]# ls -laZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 index.html

As this file was created in the /root directory, it has the SELinux context of ‘admin_home_t’ and by default Apache will only serve files with a context of ‘httpd_sys_content_t’. The logs suggest that this can be fixed by running the restorecon command, which will fix the SELinux context of the file, and sure enough it does and the page now loads correctly.

[root@client ~]# restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Further information is also logged to the /var/log/audit/audit.log file, however the content is not very human readable. This is where the ‘sealert’ command comes into help.

[root@centos7 ~]# sealert -a /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label.
/var/www/html/index.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

The -a will display all alerts, however it can also be used to view specific codes that may be provided in the /var/log/messages file. Again the recommendation here provides an exact command to run to fix the problem, easy! Hopefully you can start to see that with these techniques there’s usually no real reason to disable SELinux.


Summary

As shown it’s pretty easy to change between SELinux modes either persistently or at run time only.

Rather than disabling SELinux, it is always recommended to leave it running in enforcing mode and fix any standalone issues rather than compromising the security of the entire system. This is fairly simple to do with the ‘sealert’ command which comes from the setroubleshoot-server package.

  1. The setroubleshoot was consuming high CPU in my computer, I stopped with “setenforce 0” but, I do not know what happened

  2. Just tried to reproduce your example on a brand new CentOS 7 with selinux in default Enforcing mode. It’s weird, the context of the index.html I created at /root changed from “admin_home_t” to “httpd_sys_content_t” when moved to /var/www/html/. I viewed the new index.html on the web browser with no problem. When I moved the file back to /root it kept the “httpd_sys_content_t” context. I was the root user. Any idea?

  3. thank you I think selinux is very extensive, thank you again

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>