Option to disable SELinux for AL2023 - Amazon Linux 2023
Change SELinux to permissive modeDisable SELinux

Option to disable SELinux for AL2023

When you disable SELinux, SELinux policy isn't loaded or enforced and Access Vector Cache (AVC) messages aren't logged. You lose all benefits of running SELinux.

Instead of disabling SELinux, we recommend using permissive mode. It costs only a little more to run in permissive mode than it does to disable SELinux completely. Transitioning from permissive mode to enforcing mode requires much less of a configuration adjustment than transitioning back to enforcing mode after disabling SELinux. You can label files, and the system can track and log actions that the active policy might have denied.

Change SELinux to permissive mode

When you run SELinux in permissive mode, SELinux policy isn’t enforced. In permissive mode, SELinux logs AVC messages but doesn’t deny operations. You can use these AVC messages for troubleshooting, debugging, and SELinux policy improvements.

To change SELinux to permissive mode, use the following steps.

  1. Edit the /etc/selinux/config file to change to permissive mode. The SELINUX value should look like the following example.

    SELINUX=permissive

  2. Restart your system to complete the change to permissive mode.

    sudo reboot

Disable SELinux

When you disable SELinux, SELinux policy isn't loaded or enforced, and AVC messages aren't logged. You lose all benefits of running SELinux.

To disable SELinux, use the following steps.

  1. Ensure that the grubby package is installed.

    rpm -q grubby
grubby-version

  2. Configure your bootloader to add selinux=0 to the kernel command line.

    sudo grubby --update-kernel ALL --args selinux=0

  3. Restart your system.

    sudo reboot

  4. Run the getenforce command to confirm that SELinux is Disabled.

    $ getenforce
Disabled

For more information about SELinux, see the SELinux Notebook and SELinux configuration.