How to Enable/Disable SELinux Modes in CentOS?

SELinux (Security-Enhanced Linux) is a security module that is implemented in most modern Linux distributions, including CentOS. It provides an additional layer of security by restricting the access of processes and users to system resources. SELinux works in two modes: enforcing and permissive.

This article will illustrate the step-by-step procedure to enable/disable SELinux modes in CentOS.

  • How to Enable/Disable SELinux Modes in CentOS?
  • Check SELinux Status
  • Open the SELinux Configuration File
  • Enable or Disable SELinux Modes (Permanent)
  • Enable or Disable SELinux Modes (Temporary)
  • Reboot the System
  • Verify the Current Status

How to Enable/Disable SELinux Modes in CentOS?

In enforcing mode, SELinux enforces security policies and logs any violation attempts. In permissive mode, SELinux does not enforce security policies but instead logs any violation attempts, which can help system administrators to determine which policies need to be adjusted.

To enable or disable SELinux modes in CentOS, you can follow the steps below:

Step 1: Check SELinux Status

Users can check whether SELinux is currently enabled or disabled by running the following command:

# sestatus

The output of this command displays the SELinux status is “enabled,” mode “enforcing,” and policy information.

Step 2: Open the SELinux Configuration File

To enable or disable SELinux, users must modify the SELinux configuration file. The SELinux configuration file is located at “/etc/selinux/config.” To edit this file, use any text editor such as nano or vi. For instance, open the file using nano via the following command:

# nano /etc/selinux/config

It navigates to the “config” configuration file.

Step 3: Enable or Disable SELinux Modes (Permanent)

To change the SELinux mode, users need to modify the SELINUX parameter in the SELinux configuration file. This parameter has three possible values:

  • enforcing: This value sets SELinux to enforcing mode.
  • permissive: This value sets SELinux to permissive mode.
  • disabled: This value disables SELinux.

To set SELinux to enforcing mode, change the SELINUX parameter to “enforcing.” To set SELinux to permissive mode, change the SELINUX parameter to “permissive.” To disable SELinux, change the SELINUX parameter to “disabled.” By default, the parameter has an “enforcing” value.

Here’s an example of the SELinux configuration file and set the “disabled” mode as shown below figure:

Save and Exit the “config” configuration file.

Optional: Enable or Disable SELinux Modes (Temporary)

If SELinux is currently set to “Disabled”, enter the following command to switch it to “Enforcing”:

# setenforce 1
# getenforce

It temporarily enables SELinux until the next system reboot. The “getenforce” command confirms the existing status of SELinux mode:

If SELinux is currently set to “Enforcing” or “Permissive”, enter the following command to switch it to “Disabled”:

# setenforce 0
# getenforce

The above command temporarily disables SELinux until the next system reboots.

Step 4: Reboot the System 

After making changes to the SELinux configuration file, reboot the system via the below command:

# reboot

This command restarts the system and applies the changes.

Step 5: Verify the Current Status

To confirm the current status of SELinux modes in CentOS, use the “sestatus” command in the CentOS terminal:

# sestatus

The output shows the current status of SELinux is “disabled” in the terminal.

Conclusion

To enable/disable SELinux modes in CentOS, assign the “enforcing” or “disabled” value to the SELINUX parameter in the SELinux configuration file. This file is located in the  “/etc/selinux” directory with the name of the “config.” Users can also execute the “setenforce” command with the “1” option to enable or “0” to disable the SELinux mode.

This article has described the step-by-step procedure to enable or disable SELinux modes in CentOS.