4 Effective Methods to Disable SELinux Temporarily or Permanently

by Ramesh Natarajan on June 1, 2009

Disable SELinux on RedHat LinuxOn some of the Linux distribution SELinux is enabled by default, which may cause some unwanted issues, if you don’t understand how SELinux works and the fundamental details on how to configure it. I strongly recommend that you understand SELinux and implement it on your environment. But, until you understand the implementation details of SELinux you may want to disable it to avoid some unnecessary issues.
 
To disable SELinux you can use any one of the 4 different methods mentioned in this article.

The SELinux will enforce security policies including the mandatory access controls defined by the US Department of Defence using the Linux Security Module (LSM) defined in the Linux Kernel. Every files and process in the system will be tagged with specific labels that will be used by the SELinux. You can use ls -Z and view those labels as shown below.

# ls -Z /etc/
-rw-r--r--  root root  system_u:object_r:etc_t:s0       a2ps.cfg
-rw-r--r--  root root  system_u:object_r:adjtime_t:s0   adjtime
-rw-r--r--  root root  system_u:object_r:etc_aliases_t:s0 aliases
drwxr-x---  root root  system_u:object_r:auditd_etc_t:s0 audit
drwxr-xr-x  root root  system_u:object_r:etc_runtime_t:s0 blkid
drwxr-xr-x  root root  system_u:object_r:bluetooth_conf_t:s0 bluetooth
drwx------  root root  system_u:object_r:system_cron_spool_t:s0 cron.d
-rw-rw-r--  root disk  system_u:object_r:amanda_dumpdates_t:s0 dumpdates

Method 1: Disable SELinux Temporarily

To disable SELinux temporarily you have to modify the /selinux/enforce file as shown below. Please note that this setting will be gone after the reboot of the system.

# cat /selinux/enforce
1

# echo 0 > /selinux/enforce

# cat /selinux/enforce
0

 
You can also use setenforce command as shown below to disable SELinux. Possible parameters to setenforce commands are: Enforcing , Permissive, 1 (enable) or 0 (disable).

# setenforce 0

Method 2: Disable SELinux Permanently

To disable the SELinux permanently, modify the /etc/selinux/config and set the SELINUX=disabled as shown below. One you make any changes to the /etc/selinux/config, reboot the server for the changes to be considered.

# cat /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
SETLOCALDEFS=0

 
Following are the possible values for the SELINUX variable in the /etc/selinux/config file

  • enforcing – The Security Policy is always Encoforced
  • permissive - This just simulates the enforcing policy by only printing warning messages and not really enforcing the SELinux. This is good to first see how SELinux works and later figure out what policies should be enforced.
  • disabled - Completely disable SELinux

 
Following are the possible values for SELINUXTYPE variable in the /etc/selinux/config file. This indicates the type of policies that can be used for the SELinux.

  • targeted - This policy will protected only specific targeted network daemons.
  • strict - This is for maximum SELinux protection.

Method 3: Disable SELinux from the Grub Boot Loader

If you can’t locate /etc/selinux/config file on your system, you can pass disable SELinux by passing it as parameter to the Grub Boot Loader as shown below.

# cat /boot/grub/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title Enterprise Linux Enterprise Linux Server (2.6.18-92.el5PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.el5PAE ro root=LABEL=/ rhgb quiet selinux=0
initrd /boot/initrd-2.6.18-92.el5PAE.img
title Enterprise Linux Enterprise Linux Server (2.6.18-92.el5)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.el5 ro root=LABEL=/ rhgb quiet selinux=0
initrd /boot/initrd-2.6.18-92.el5.img

Method 4: Disable Only a Specific Service in SELinux – HTTP/Apache

If you are not interested in disability the whole SELinux, you can also disable SELinux only for a specific service. For example, do disable SELinux for HTTP/Apache service, modify the httpd_disable_trans variable in the /etc/selinux/targeted/booleans file.
 
Set the httpd_disable_trans variable to 1 as shown below.

# grep httpd /etc/selinux/targeted/booleans
httpd_builtin_scripting=1
httpd_disable_trans=1
httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
httpd_tty_comm=0
httpd_unified=1

 
Set SELinux boolean value using setsebool command as shown below. Make sure to restart the HTTP service after this change.

# setsebool httpd_disable_trans 1
# service httpd restart

Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 10 comments… read them below or add one }

1 Jill June 1, 2009 at 5:39 pm

Thanks… I’ve been using Ubuntu, which is better, SELinux or AppArmor?

2 Ramesh Natarajan June 4, 2009 at 12:54 am

@Jill,
Both SELinux and AppArmos has it’s own advantages. Please refer to this comparison article that talks about SELinux vs AppArmor

3 hirak August 19, 2009 at 2:34 am

thank
thank you very much for this book
this book i very use full for me
thank you

4 ravi June 15, 2011 at 4:26 pm

this was very useful to understand selinux concept in brief.

5 Nahuel July 31, 2011 at 3:18 pm

I have problems with setsebool httpd_disable_trans 1
"Could not change active booleans: Invalid boolean"

6 noname June 4, 2012 at 12:55 pm

Not TRUE.

Method 1:
echo 0 > /selinux/enforce
actually switch SELinux to permissive mode.
check output of two following commands (RHEL/CentOS):
1) selinuxenabled | echo $? # 0 means selinux enabled, 1 – disabled
2) getenforce # will print one of Disabled|Enforcing|Permissive

Method 1:
setenforce 0
check ‘man setenforce’
this command will not disable SELinux, but switches it to permissive mode
Verified easily by selinuxenabled & getenforce

So, please let me know if you will find a way do disable SELinux without reboot.

7 Jinx July 21, 2012 at 6:47 am

Please explain SELinux in detail.

8 Pradipta January 12, 2013 at 7:50 pm

Thank you. Now my doubt is cleared. :)

9 jh August 26, 2013 at 4:30 pm

This is a little out of date. /selinux/ doesn’t exist on most Fedora/RHEL based systems of today

10 amir August 29, 2013 at 7:21 am

this guide is only for RHEL, not linux….

Leave a Comment

Previous post:

Next post: