How to Enable and Disable SELinux
Security-Enhanced Linux (SELinux) is a security solution that is built right into the Linux kernel and is based on Mandatory Access Control (MAC). SELinux makes sure that the operating system's processes, files, directories, and network ports follow strict security rules. By doing this, it stops people from trying to get in without permission, makes sure that services only work within set security limits, and makes the system much less vulnerable to attacks.
SELinux is a useful extra layer of protection for enterprise servers and other high-security contexts. It is a strong defense against malware, unauthorized users, and services that could be used to hack into systems.
SELinux, on the other hand, is not constantly in its "enabled" state. Its rigorous rules can often get in the way of operations, such as when legacy software has compatibility problems, custom-built applications, or complicated system setups. In these rare cases, administrators may decide to turn off SELinux for a short time or operate it in permissive mode, where violations are logged but not stopped.
This guide will show you how to turn SELinux on and off, as well as how to make temporary modifications (that go back to normal after a reboot) and permanent changes (that stay the same after a reboot). You'll know how to pick the correct SELinux mode to keep your Linux system safe and introduce changes to the settings without any problems.
How to enable SELinux in CentOS?
If SELinux is currently disabled, there are two ways to enable it again: temporarily (changes revert after a reboot) or permanently (remains active on every startup). To keep security at a continuously high level, it is best to keep it permanently activated. If you wish to check for compatibility problems first, though, it's preferable to start with temporary activation.
Here are the steps to permanently turn SELinux on.
-
Open the SELinux configuration file: This file determines which SELinux mode will be used when the system starts.
sudo nano /etc/selinux/config -
Locate the line that defines the current state: Inside the file, you will see the line that specifies the SELinux mode.
SELINUX=disabled -
Change the mode to Enforcing: This setting ensures that SELinux actively applies all of its security policies.
SELINUX=enforcingYou can set it to SELINUX=permissive if you wish to do compatibility checks. When this mode is activated, violations aren't stopped but are logged.
-
Save and exit the file: You may use the following key sequence to save your changes in the
nanoeditor:CTRL + O
Enter
CTRL + X -
Reboot the system: You need to restart the system for the changes to take effect.
sudo rebootwarningBefore restarting, make sure to save all open files and processes. If you don't, you could lose data that hasn't been saved.
-
Verify the status: You can check the SELinux status after the reboot by using one of the following commands:
sestatusor
getenforcegetenforcesimply indicates the current operating mode, whereassestatusgives more information, including the policy type, active status, and so on.
Why Disable SELinux?
You shouldn't always turn off SELinux.
SELinux can control who can access processes, files, and network resources with a lot of detail since it has a Mandatory Access Control (MAC) system built into the Linux kernel. This is a big plus when it comes to security. But there are several scenarios listed below when you might need to turn off SELinux.
-
Problems with compatibility with older or custom-built software: Some apps might not work well with SELinux policies and might keep getting denied access.
-
Fixing complicated settings: SELinux policies can provide extra limitations that could make normal service operation harder. In some situations, turning off SELinux for a short time can help with troubleshooting.
-
Goes against tight security rules: SELinux's "enforcing" mode has severe requirements that may stop some services from working properly.
-
Environments for testing or temporary use: In development or testing settings, speed and flexibility may be more important than rigorous security; hence, it makes sense to turn off SELinux for a short time.
Disabling SELinux takes away security measures at the kernel level. This makes the system more vulnerable to attacks and makes it more likely that someone will get in without permission.
You may run SELinux in permissive mode instead of turning it off completely. When you set SELinux to permissive mode, it doesn't prohibit violations; instead, it logs them so you may resolve problems without entirely removing SELinux protection.
Disabling SELinux completely in production scenarios can leave your system open to major security risks. You should only make this choice after talking to your security or development team.
The key difference between permissive mode and disabled state is how security policies are handled.
In Permissive Mode, SELinux policies are looked at but not enforced. Actions that would normally break the rules are not stopped; they are only logged. The goal of permissive mode is to find out what SELinux would have blocked without actually stopping the system from working. Permissive mode is great for fixing bugs, trying out new apps, or making changes to make things work better.
In Disabled (Fully Off), the SELinux kernel modules aren't loaded, and all security policies are off. SELinux doesn't start up when the system boots. There are no violation records, so SELinux can't be used to keep track of security. Disabled mode of SELinux is not a good idea for production systems, as it completely eliminates protections at the kernel level.
The table below summarizes the differences between the two modes:
| Feature | Permissive Mode | Disabled (Off) |
|---|---|---|
| Policies are checked | ✔ | X |
| Violations are blocked | X | X |
| Violations are logged | ✔ | X |
| Kernel modules are loaded | ✔ | X |
| Security level | Medium | None |
| Recommended usage | Testing / Debug | Exceptional cases only |
Permissive mode is a great way to evaluate how SELinux policies affect your system. It lets you collect logs without getting in the way of service. But since violations aren't blocked in permissive mode, attackers could be able to take advantage of this hole. So, keeping the system in this state for a long time makes it less safe.
In Disabled mode, SELinux is totally switched off, meaning potential attacks can flow through without encountering any kernel-level security filters. This is very risky, especially for servers that are connected to the internet.
How to Disable SELinux in CentOS 7
When you turn off SELinux in CentOS 7, the SELinux kernel modules won't load when the system starts up. This operation turns off all of SELinux's security measures and rules.
Disabling SELinux completely takes away security features at the kernel level, which might make systems very vulnerable to attacks. Only use it in production environments when you really need to. To disable SELinux in CentOS, you may follow these steps.
-
Open the SELinux configuration file: This file determines which SELinux mode will be used when the system starts.
sudo nano /etc/selinux/config -
Locate the line that defines the current mode: It will usually look like below.
SELINUX=enforcing -
Change the mode to disabled: Edit the line as follows.
SELINUX=disabledIf you turn off SELinux kernel modules, they won't load when the system starts up, and all security features, including logging, will be turned off. If you just want to lift restrictions, permissive mode is a safer choice.
-
Save and exit the file: In the Nano editor, save your changes by pressing the following keys.
CTRL + O
Enter
CTRL + X -
Reboot the system: Reboot the system for the changes to take effect:
sudo reboot -
Verify the status: After the reboot, confirm that SELinux is disabled by running the next command.
getenforceor
sestatusgetenforcesimply shows the current mode, whereassestatusgives you more information. For instance, it will reveal the type of policy and whether SELinux is on. This makessestatusthe best choice for thorough checks.
How to Disable SELinux in CentOS 8
The method for disabling SELinux in CentOS 8 is exactly the same as in CentOS 7. You simply edit the /etc/selinux/config file and restart the system.
-
Open the SELinux configuration file
sudo nano /etc/selinux/config -
Set SELinux mode to disabled. Find the
SELINUX=enforcingline in the file and change it toSELINUX=disabled. If you set it to disabled, SELinux modules won't load when the system starts up. SELinux won't log events or enforce security restrictions in this mode. -
Save and exit the file
-
Reboot the system.
-
Check the status by running
getenforceorsestatus
How to Disable SELinux in RHEL 7?
SELinux is turned on by default in RHEL 7 to make it more secure. You can turn it off by modifying its configuration file if you need to, either to resolve a problem or to run software that doesn't work with it.
-
Open the terminal and edit
/etc/selinux/configfile. -
Find the line that starts with
SELINUX=and change the value toSELINUX=disabled. -
Save and exit the editor.
-
Reboot the server to apply the changes
-
After reboot, confirm the new status using
sestatus. If it shows disabled, the configuration was successful.
How to Disable SELinux in RHEL 8?
RHEL 8 takes a similar approach to RHEL 7 but incorporates some new system tools. To turn off SELinux in RHEL 8, you may follow the next steps.
-
Edit the SELinux configuration file
/etc/selinux/config. -
Change the mode by setting
SELINUX=disabled. -
Save your changes and close the editor.
-
Restart the system to apply the new settings by running
sudo systemctl reboot. -
Once the system is up again, verify the status with
getenforce
If the settings worked, it should say "Disabled."
How to Disable SELinux in RHEL 9?
To turn off SELinux in RHEL 9, you still have to update the /etc/selinux/config file, just like you did in RHEL 7 and 8. This change is permanent, and every time the system starts up, SELinux will stay off.
-
Open the SELinux configuration file
/etc/selinux/config. -
Set SELinux mode to disabled. Find the
SELINUX=enforcingline in the file and change it toSELINUX=disabled.If you turn off SELinux kernel modules, they won't load, security policies won't be enforced, and violations won't be logged. Think about utilizing permissive mode instead, which is safer.
-
Save and exit the file.
-
Reboot the system.
-
Check SELinux status by running
getenforceorsestatus.Getenforcesimply reveals the current mode, but sestatus will tell you if SELinux is on, what kind of policy is in use, and what's in the configuration file.
How to Disable SELinux in Fedora
The way to turn off SELinux in Fedora is the same as in RHEL and CentOS. To do this, you need to change the /etc/selinux/config file and then restart the computer.
When you turn off SELinux, you lose all of the kernel-level security protections that Fedora gives you. This is especially risky for systems that are linked to the internet.
-
Open the SELinux configuration file
/etc/selinux/config. -
Disable SELinux mode. Find and change the
SELINUX=enforcingline toSELINUX=disabled. When the disabled setting is on, SELinux kernel modules can't load when the system starts up. This mode does not allow logging or the enforcement of security restrictions. -
Save and exit the file.
-
Reboot the system.
-
Check SELinux status by running
getenforceorsestatus.
How to Disable SELinux in Rocky Linux
The methods to turn off SELinux in Rocky Linux are the same as in RHEL because Rocky Linux is based on RHEL. You just need to change the /etc/selinux/config file and then restart the computer.
-
Open the SELinux configuration file
/etc/selinux/config. -
Disable SELinux mode. Find and change the
SELINUX=enforcingline toSELINUX=disabled. When the disabled setting is on, SELinux kernel modules can't load when the system starts up. This mode does not allow logging or the enforcement of security restrictions. -
Save and exit the file.
-
Reboot the system.
-
Check SELinux status by running
getenforceorsestatus.
What are the Different SELinux Modes?
SELinux has three separate operating modes that decide how safe the system is. These modes tell you how to use policies and how to do security checks. SELinux modes are outlined below.
-
Enforcing Mode: Enforcing mode option is best for production systems that care about security. This is the safest choice if you are utilizing software and services that work with SELinux. Enforcing mode SELinux has the following features.
• SELinux policies are enforced all the time.
• Actions that are not allowed or go against policy are blocked.
• Violations are recorded.
• Gives the best level of safety.
-
Permissive Mode: Permissive mode is excellent for testing and fixing problems. But if you leave the system in permissive mode for a long time, it becomes less secure because violations are not stopped. Permissive mode SELinux has the following features.
• Policies for SELinux are checked but not enforced.
• Violations are not stopped, but they are recorded.
• Shows you what SELinux would block without getting in the way of service execution.
-
Disabled Mode: Only use disabled mode for old systems or important apps that don't work with SELinux. Because of security risks, it is not a good idea to use it in production situations.
Disabled mode SELinux has the following features.
• SELinux is switched off fully.
• No logging happens, and kernel modules are not loaded.
• SELinux doesn't start when the machine boots up.
Is It Safe to Disable SELinux on a Production Server?
No, it's not safe to turn off SELinux in a production system unless there is a very good operational reason to do so.
SELinux limits what system programs and users may do with files, networks, and resources by using multi-layered policies and its Mandatory Access Control (MAC) mechanism at the kernel level. Disabling it takes away one of the most important layers of protection for your machine.
Disabling SELinux has the following risks.
-
Makes it more likely that someone will get in without permission.
-
It's easier to take advantage of malware or security holes.
-
Security audit logs might not work as well or not at all.
-
Different Way: Instead of turning it off completely, adjust SELinux settings to enable only the operations that are needed. This will keep the system working and secure.
If you turn off SELinux in production, it may be easier for hackers to get into your system. You should only make this choice if there is no other way to solve the problem, and even then, only for a short time.
Writing a bespoke SELinux policy for a service that is generating problems or changing an existing policy is frequently a safer and more permanent fix.
If you have to turn off SELinux for a short time, permissive mode is safer. His mode keeps track of violations without stopping them, which makes it easier to find problems.
How Do You Check If SELinux is Enabled or Disabled?
You can use the getenforce and sestatus commands to find out what mode SELinux is running in.
-
getenforce: This command instantly reveals what mode SELinux is in right now. The output could be one of these:Enforcing: Policies are followed, and violations are stopped.Permissive: Policies aren't enforced, but transgressions are noted.Disabled: SELinux is turned off fully.
getenforcegetenforceis great for rapid checks because it gives you the mode in only one line.
sestatus: This command gives you further information about SELinux.- Status of activity (enabled or inhibited)
- Mode right now (enforcing, permissive, or deactivated)
- The type of policy in use
- Path to the configuration file
getenforce simply reveals the current mode, but sestatus shows both the mode and further information, such as the type of policy. sestatus is better for further analysis.
Can You Temporarily Disable SELinux Without Rebooting?
Yes, you can turn off SELinux for a short time without restarting the computer. The setenforce command is used to do this, and the change only affects the current session. SELinux will go back to the setting in /etc/selinux/config after a reboot.
The command below places SELinux into permissive mode, which means that violations are not stopped but are logged.
sudo setenforce 0
To return SELinux to enforcing mode run the following command.
sudo setenforce 1
This method is incredibly helpful when you're trying to fix anything because it lets you test services that are affected by SELinux policies without having to turn it off completely.
After a reboot, temporary changes go back to how they were. You need to edit /etc/selinux/config to make a modification that will last.
Running in permissive mode means that infractions are not prohibited, which raises security threats if the mode is used for a long time.
Can You Permanently Disable SELinux on Linux?
Yes, you can turn off SELinux for good. You need to change /etc/selinux/config, which the system reads when it starts up. This approach makes sure that SELinux is always off when the system starts.
-
Open the SELinux configuration file
/etc/selinux/config. -
Set SELinux mode to disabled. Find the
SELINUX=enforcingline in the file and change it toSELINUX=disabled. -
Save and exit the file.
-
Reboot the system.
-
Check SELinux status by running
getenforceorsestatus.
What is the Difference Between setenforce 0 and Editing the SELinux Config File?
Using the setenforce command or modifying the /etc/selinux/config file are two typical approaches to change SELinux mode. These methods are very different from one another.
-
setenforce Command - Temporary Change
Let's you switch between modes (Enforcing ↔ Permissive) right away. After a reboot, changes are gone. Use case: testing, fixing problems, or making temporary changes to make things work together.
sudo setenforce 0 # Enforcing → Permissive
sudo setenforce 1 # Permissive → EnforcingYou can change modes using the setenforce command without halting services.
-
/etc/selinux/config File – Permanent Change
Every time you restart, the changes take effect. You can set the mode to enforcing, permissive, or disabled. Use case: Setting up SELinux for the long term.
sudo nano /etc/selinux/config
SELINUX=permissiveYou need to restart the system for permanent modifications to take effect.
| Feature | setenforce | /etc/selinux/config |
|---|---|---|
| Duration | Temporary (reverts after reboot) | Permanent (persists after reboot) |
| Application | Immediate | After reboot |
| Use case | Testing, temporary adjustments | Permanent policy setting |
| Required steps | Run a command | Edit file + reboot |
Table 1. Setenforce vs /etc/selinux/config
You can't just use setenforce to make changes to temporary mode permanent. You need to alter /etc/selinux/config.
How to Use the getenforce, setenforce, and sestatus Commands?
The three commands that people use the most to control SELinux are getenforce, setenforce, and sestatus. You can use these commands to check SELinux's current status, switch between modes, and see full configuration information.
-
getenforce – Check the Current Mode
The getenforce command shows the current SELinux mode in one line.
getenforcePossible results are as follows.
-
Enforcing → Policies are followed, and transgressions are stopped.
-
Permissive → Policies aren't enforced, although transgressions are recorded.
-
Disabled means that SELinux is entirely disabled.
For quick inspections,
getenforceis the most useful command. -
-
setenforce: Change Modes
The setenforce command changes the SELinux mode right away.
sudo setenforce 0 # From enforcing to permissive
sudo setenforce 1 # From permissive to enforcingChanges made using
setenforcedon't last. SELinux goes back to the mode set in /etc/selinux/config when the system restarts. -
sestatus – View Detailed SELinux Status
The sestatus command shows information like SELinux's active status, current mode, policy type, and the location of the configuration file.
sestatusThings you might see in the output:
• Status of SELinux (on or off)
• The current mode (enforcing, permissive, or disabled)
• Mode from the config file
• Type of policy (for example, targeted or mls)
Getenforce alone may not be enough for a full examination. Use sestatus in these situations.
How to Set SELinux to Permissive Mode
When SELinux is in permissive mode, policies aren't enforced, but all infractions are reported. This mode lets you examine where policies would have been implemented without affecting how the system works. This makes it very useful for testing and fixing problems.
Temporarily Switching to Permissive Mode (Reverts After Reboot): With the command below, you may quickly switch SELinux to Permissive mode:
sudo
setenforce 0
Temporary modifications happen right away and don't require services to be restarted. This makes them great for doing rapid tests on live systems.
Permanently Setting Permissive Mode: To make sure SELinux stays in permissive mode every time you reboot, change /etc/selinux/config by setting SELINUX=permissive and then rebooting the device.
How to Revert SELinux Back to Enforcing Mode After Disabling?
Putting SELinux back into enforcing mode turns on security policies again, which protects the system at the kernel level and stops others from trying to get in without permission.
-
Permanently Switching to Enforcing Mode
To permanently switch enforcing mode, you may change
/etc/selinux/configby settingSELINUX=enforcingand then reboot the device. -
Temporarily Switching to Enforcing Mode (Reverts After Reboot)
To temporarily switch enforcing mode, you may run the following command.
sudo setenforce 1Temporary changes revert after a restart. To make it permanent, edit
/etc/selinux/config.After going back to enforced mode, some apps or services might not work well. You might have to make your own SELinux policies for those services in these situations.
What is the Role of the SELinux Config File?
The main configuration file that sets SELinux's permanent working mode is /etc/selinux/config. This file tells SELinux what mode to start in (Enforcing, Permissive, or Disabled) and what security policy to use.
The main functions of the SELinux config file are listed below.
-
Choose the operating mode:
SELINUX=enforcing,SELINUX=permissive, orSELINUX=disabled. -
Choose the policy type:
SELINUXTYPE=targeted (default)orSELINUXTYPE=mls. -
Take care of permanent settings: Changes made here stay even after a reboot, unlike setenforce.
Does OPNsense Use SELinux?
No, SELinux is not used by OPNsense. OPNsense is a security and networking operating system based on FreeBSD, while SELinux is a Linux-specific Mandatory Access Control (MAC) security module. OPNsense doesn't use SELinux due to the following reasons.
• The FreeBSD kernel, which OPNsense operates on, does not have SELinux.
• The MAC Framework is built into FreeBSD.
• mac_bsdextended: Extended access control lists are some of the other ways to control access in FreeBSD.
• mac_policy: Personalized access control rules.
You can get SELinux-like access control on OPNsense by turning on FreeBSD's mac_bsdextended module and setting up your pf firewall rules in detail. Expecting SELinux to work in the same way is not feasible. OPNsense security is built primarily on firewall rules, system hardening, and service isolation. Security is managed in OPNsense with the help of pf (Packet Filter) firewall, Jail and sandboxing and security plugins like, IDS/IPS, VPN, proxy, and Zenarmor.
FreeBSD's MAC Framework and SELinux's security paradigm are not the same. When setting up security on OPNsense, use tools and procedures that are specific to FreeBSD.