When you disable SELinux, SELinux policy isn't loaded or enforced and Access Vector Cache (AVC) messages aren't logged. You lose all benefits of running SELinux.
Instead of disabling SELinux, we recommend using permissive mode. It costs only a little more to run
in permissive mode than it does to disable SELinux completely. Transitioning from permissive
mode to enforcing mode requires much less of a configuration adjustment than transitioning back to
enforcing mode after disabling SELinux. You can label files, and the system can track and log actions
that the active policy might have denied.
Change SELinux to permissive mode
When you run SELinux in permissive mode, SELinux policy isn’t enforced. In permissive
mode, SELinux logs AVC messages but doesn’t deny operations. You can use these AVC messages for troubleshooting,
debugging, and SELinux policy improvements.
To change SELinux to permissive mode, use the following steps.
-
Edit the
/etc/selinux/configfile to change topermissivemode. TheSELINUXvalue should look like the following example.SELINUX=permissive -
Restart your system to complete the change to
permissivemode.sudo reboot
Disable SELinux
When you disable SELinux, SELinux policy isn't loaded or enforced, and AVC messages aren't logged. You lose all benefits of running SELinux.
To disable SELinux, use the following steps.
-
Ensure that the
grubbypackage is installed.rpm -q grubbygrubby-version -
Configure your bootloader to add
selinux=0to the kernel command line.sudo grubby --update-kernel ALL --args selinux=0 -
Restart your system.
sudo reboot -
Run the
getenforcecommand to confirm that SELinux isDisabled.$getenforceDisabled
For more information about SELinux, see the SELinux Notebook
