Practical Linux, Windows Server and cloud guides for IT pros.

Contact
Support TurboGeek

How to Enable / Disable SELinux

SELinux, or Security-Enhanced Linux, is a security framework developed to enhance the security of Linux-based operating systems. It closely monitors and controls access to various parts of the system, such as files, processes, and network resources. Here’s a quick summary of the commands you need to manage SELinux:

Filed under

Published

Written by

Richard Bailey

Last updated

1200px SELinux logo

TL;DR

  • SELinux is a Linux kernel security module enforcing mandatory access control — the layer below regular file permissions.
  • Three modes: Enforcing (default on RHEL/Rocky/Alma), Permissive (logs only), Disabled.
  • Check with getenforce; change runtime with setenforce 0|1; persist in /etc/selinux/config.
  • Don’t disable SELinux “because something doesn’t work” — switch to Permissive, fix the labels, switch back. Disabling means full reboot to re-enable.

What is enabling and disabling SELinux?

SELinux (Security-Enhanced Linux) is a kernel module originally developed by the NSA that adds mandatory access control on top of standard Unix discretionary access control. Regular file permissions ask “who owns this and what can they do?”; SELinux asks “what role can this process play, and what context can it touch?”

RHEL-family distributions (RHEL, Rocky, AlmaLinux, CentOS) ship with SELinux enabled in Enforcing mode. This is the right default for production. The common mistake is to disable it the moment something breaks; the right move is to switch to Permissive temporarily, capture the AVC denials, fix the labels, and re-enable Enforcing.

Prerequisites

  • RHEL-family Linux distribution (RHEL, Rocky, AlmaLinux, CentOS).
  • Root or sudo access.
  • Awareness that disabling and re-enabling SELinux requires a reboot for relabelling.

How to use this guide

The sections below walk through the practical commands and options. After the main content you’ll find a Verification block (sanity-check it actually worked), a Troubleshooting block (common error messages and what to do), and Related reading for follow-on topics.

SELinux, or Security-Enhanced Linux, is a security framework developed to enhance the security of Linux-based operating systems. It closely monitors and controls access to various parts of the system, such as files, processes, and network resources.

Key Takeaways

Here’s a quick summary of the commands you need to manage SELinux:

  • Check Current Status: getenforce
  • Temporarily Enable (Enforcing): setenforce 1
  • Temporarily Disable (Permissive): setenforce 0
  • Permanently Change State: Edit the /etc/selinux/config file and reboot.

The Linux Security Framework implements a Mandatory Access Control model. This means it enforces strict rules defined by system administrators or policies, limiting what each program or user can do, even if they have certain permissions.

SELinux

What is SELinux?

SELinux, or Security-Enhanced Linux, is a security framework integrated into the Linux kernel. It provides a flexible Mandatory Access Control (MAC) system that goes beyond standard user/group permissions. Instead of just controlling who can access a file, SELinux policies define exactly how processes and users can interact with all parts of the system (files, devices, processes, network ports), significantly reducing the blast radius of a potential security breach.

To disable SELinux, set SELINUX=disabled in /etc/selinux/config and reboot. To check the current status, run sestatus. For a temporary disable without rebooting: sudo setenforce 0

Step-by-Step Procedure to Enable / Disable SELinux

If you run a Linux version where SELinux is not enabled by default, you can install it with the Policytools installer.

IMPORTANT
Bash
sudo apt install policycoreutils

Step 1 – Check Status:

To determine the current status of Linux Security Policies, run:

Bash
getenforce

The getenforce command will return one of three responses:

  • Enforcing:
    This indicates that SELinux is currently active and enforcing its security policy. In this mode, SELinux restricts access based on the defined rules, potentially preventing unauthorized actions.
  • Permissive:
    This means that SELinux is running, but it’s not actively enforcing the policy. Instead, it’s logging any actions that would have been denied if it were in enforcing
  • Disabled:
    This means that SELinux has already been disabled on your system and no SELinux policy is loaded.

Step 2 – Temporary Disable

To temporarily disable Linux Security Framework without rebooting the system:

Bash
setenforce 0

This command sets SELinux to permissive mode. It means that SELinux policies are not actively enforced. Instead, any actions that would normally be denied in enforcing mode are simply logged. To check the status, use the getenforce command again.

Step 3 – Temporary Enable

Bash
setenforce 1

This command activates SELinux, enabling it to enforce its security policy. In this mode, SELinux will actively block any actions that violate the defined rules. To check the status, use the getenforce command again.

Step 4 – Permanently Enable / Disable

To permanently disable Secure Linux, you’ll need to edit the Linux Security Framework configuration file. Open the file /etc/selinux/config using a text editor like nano or vi:

Bash
nano /etc/selinux/config

To permanently enable Secure Linux, follow the same steps as above but change SELINUX=disabled to SELINUX=enforcing in the /etc/selinux/config file.

Example Output:

Bash
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls     - Multi-Level Security (for military and educational use)
# src     - Custom policy built from source
SELINUXTYPE=default

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

Caution:
Disabling SELinux may expose your system to potential security risks. Only disable it if you have specific reasons and understand the implications.

Remember, while SELinux can be disabled or enabled, it’s a powerful security feature designed to protect your system. It’s recommended to understand how it works and adjust its policies rather than completely turning it off.

Always take caution and create backups before making system-level changes to ensure you can revert if needed.

Want to know more?

Which Distro is SELinux Enabled by Default?

Red Hat Enterprise Linux (RHEL):
Enhanced Linux Security is typically enabled by default in RHEL distributions. Red Hat values security and integrates SELinux as a core component to enhance system security by enforcing mandatory access controls.

CentOS:
Being closely related to RHEL, CentOS also often has SELinux enabled by default for the same reasons as RHEL. It follows a similar security-focused approach.

centos

Fedora:
Fedora is a bleeding-edge Linux distribution sponsored by Red Hat. It generally ships with SELinux enabled by default, aligning with Red Hat’s security-first philosophy.

SELinux Disabled by Default:

Debian:
Linux Security Policies are not enabled by default in Debian. Instead, Debian utilizes AppArmor, another security framework focusing on application-level security policies.

Ubuntu:
Like Debian, Ubuntu doesn’t have a Linux Kernel Security Module enabled by default. Instead, it uses AppArmor as its mandatory access control framework for added security.

Arch Linux:
Arch Linux does not enable the Linux Kernel Security Module by default. However, Arch Linux, known for its minimalist approach, allows users to enable SELinux if they require its security features.

SELinux Q&A

1. What is SELinux?

  • Answer: Security-Enhanced Linux (SELinux) is a security architecture integrated into the Linux kernel. It provides a flexible mandatory access control framework to strengthen a Linux system’s overall security.

2. How does SELinux enhance security?

  • Answer: SELinux implements mandatory access controls in addition to traditional discretionary controls. It defines and enforces policies restricting user and process privileges, preventing unauthorized access and potential security threats.

3. What are the main components of SELinux?

  • Answer: SELinux comprises three main components: policies, security server, and security contexts. Policies define rules, the security server enforces them, and security contexts label objects to determine their access levels.

4. How can I check if SELinux is enabled on my system?

  • Answer: Execute the command sestatus in the terminal. If SELinux is enabled, it will display the current status, enforcing mode, and policy version.

5. What are SELinux modes, and how do they differ?

  • Answer: SELinux operates in three modes: Enforcing, Permissive, and Disabled. Enforcing actively denies access violations, Permissive logs violations without enforcement, and Disabled turns off SELinux.

6. Can SELinux policies be customized?

  • Answer: Yes, SELinux policies can be customized to meet specific security requirements. Users can create or modify policies using tools like semanage and audit2allow.

7. How do I troubleshoot SELinux denials?

  • Answer: Check the audit logs (/var/log/audit/audit.log) for AVC (Access Vector Cache) denials. Tools like ausearch and audit2why help interpret denials and suggest corrective actions.

8. Can SELinux be temporarily disabled?

  • Answer: Yes, SELinux can be temporarily disabled using the command setenforce 0. However, it’s not recommended for security reasons, and disabling should only be done for troubleshooting purposes.

9. How can I restore default SELinux policies?

  • Answer: To restore default SELinux policies, use the restorecon command. For example, restorecon -R / will restore the default security contexts for files and directories.

10. Are there alternatives to SELinux for Linux security?

  • Answer: Yes, alternatives like AppArmor and grsecurity exist. Each has its own approach to enhancing Linux security, and the choice depends on specific system requirements.

Verification

Sanity-check the change actually worked:

  • getenforce — returns Enforcing, Permissive, or Disabled.
  • sestatus — full status report including the loaded policy.
  • ausearch -m AVC -ts recent — shows recent SELinux denials in the audit log.

Troubleshooting

Service fails after re-enabling SELinux — Run with Permissive temporarily, then ausearch -m AVC,USER_AVC -ts today identifies the denials. audit2allow generates a custom policy module to fix them.

File access denied even though Unix permissions are right — Check label with ls -Z. Restore default labels: restorecon -Rv /path.

Relabelling on boot takes forever — Triggered by touch /.autorelabel or after enabling from Disabled. On large filesystems this is normal; only happens once.

Authoritative sources

References: Red Hat — Using SELinux, SELinux Project on GitHub.

Related reading

Post Views: 3,960

Leave a Reply

Your email address will not be published. Required fields are marked *

Read another post

Latest from TurboGeek

Find more on the site

Keep reading by topic.

If this post was useful, the fastest way to keep going is to pick the topic you work in most often.

Linux
AWS
Windows
AI

Want another useful post?

Browse the latest posts, or support TurboGeek if the site saves you time regularly.

Browse latest posts
Support TurboGeek
Translate »