Just like RHEL and the rest of its derivatives, AlmaLinux comes with SELinux (Security Enhanced Linux) installed and enabled by default. In this guide, we’ll see how to disable SELinux temporarily or permanently. You’ll also learn how to re-enable it later in case you need to turn it back on.
Before we get started, you should know that SELinux has three different modes of operation, as follows:
- Enforcing – SELinux is enabled, logging events, and enforcing its policies.
- Permissive – SELinux is logging events but not enforcing any policies.
- Disabled – SELinux is neither logging events nor enforcing policies.
If you only plan to temporarily disable SELinux, you should opt for permissive mode. SELinux will log events about things it would normally block, but won’t actually block them. When done with your testing, you can flip SELinux back to enforcing mode.
On the other hand, if you want to disable SELinux permanently, you should opt for disabled mode. We’ll show you the instructions for both options below.
1. Check the current mode of SELinux by issuing the
getenforce command. By default, it should say “enforcing.”
$ getenforce Enforcing
2. To temporarily set SELinux to permissive mode, run the following command. Note that a reboot will flip SELinux back to enforcing mode.
$ sudo setenforce 0
3. Verify your changes with either the
$ getenforce Permissive
4. To put SELinux back into enforcing mode, run this command.
$ sudo setenforce 1
5. To permanently disable SELinux, we need to edit the
/etc/selinux/config file. Change the
SELINUX=enforcing line to “disabled”, and save your changes to the file.
$ sudo nano /etc/selinux/config SELINUX=disabled
If you prefer, you could change it to permissive instead.
6. You’ll need to reboot the system after this file change, then SELinux will stay permanently disabled. If you don’t want to reboot now, use the instructions above to temporarily disable SELinux. Either way, it’ll be disabled when you reboot later.
7. After the reboot, verify that SELinux is permanently disabled.
$ sestatus SELinux status: disabled
8. To re-enable SELinux, change the line in
/etc/selinux/config back to “enforcing,” then reboot the system.
$ sudo nano /etc/selinux/config SELINUX=enforcing