How to Disable (or Enable) SELinux in AlmaLinux

/ System Administration

Just like RHEL and the rest of its derivatives, AlmaLinux comes with SELinux (Security Enhanced Linux) installed and enabled by default. In this guide, we’ll see how to disable SELinux temporarily or permanently. You’ll also learn how to re-enable it later in case you need to turn it back on.

It’s not usually recommended to permanently disable SELinux, unless you’re in a test environment or have alternative methods of securing the AlmaLinux system. Instead, you should learn how to add exceptions in SELinux if it’s interfering with the operation of some application on the system. Consider this your obligatory warning.

Before we get started, you should know that SELinux has three different modes of operation, as follows:

  • Enforcing – SELinux is enabled, logging events, and enforcing its policies.
  • Permissive – SELinux is logging events but not enforcing any policies.
  • Disabled – SELinux is neither logging events nor enforcing policies.

If you only plan to temporarily disable SELinux, you should opt for permissive mode. SELinux will log events about things it would normally block, but won’t actually block them. When done with your testing, you can flip SELinux back to enforcing mode.

On the other hand, if you want to disable SELinux permanently, you should opt for disabled mode. We’ll show you the instructions for both options below.

1. Check the current mode of SELinux by issuing the getenforce command. By default, it should say “enforcing.”

$ getenforce
Enforcing

2. To temporarily set SELinux to permissive mode, run the following command. Note that a reboot will flip SELinux back to enforcing mode.

$ sudo setenforce 0

3. Verify your changes with either the getenforce or sestatus commands.

$ getenforce
Permissive

4. To put SELinux back into enforcing mode, run this command.

$ sudo setenforce 1

5. To permanently disable SELinux, we need to edit the /etc/selinux/config file. Change the SELINUX=enforcing line to “disabled”, and save your changes to the file.

$ sudo nano /etc/selinux/config

SELINUX=disabled

If you prefer, you could change it to permissive instead.

6. You’ll need to reboot the system after this file change, then SELinux will stay permanently disabled. If you don’t want to reboot now, use the instructions above to temporarily disable SELinux. Either way, it’ll be disabled when you reboot later.

$ reboot

7. After the reboot, verify that SELinux is permanently disabled.

$ sestatus
SELinux status:		disabled

8. To re-enable SELinux, change the line in /etc/selinux/config back to “enforcing,” then reboot the system.

$ sudo nano /etc/selinux/config

SELINUX=enforcing

Leave a Comment

Your email address will not be published. Required fields are marked *