This article will show how to disable SELinux as some software do not support this Linux kernel security module that provides the mechanism for supporting access control security policies.
Display current state of SELinux
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Temporarily Disable/Enable SELinux
To disable SELinux temporarily (without rebooting the linux system) enter the following command with root user:
# setenforce 0
This will turn off the SELinux until you reboot the linux system.
To enable again
# setenforce 1
Permanently Disable/Enable SELinux
To Disable SELinux permanently in linux system modify the /etc/selinux/config file and change “SELinux=enforcing” to “SELinux=disable” as shown below.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – SELinux is fully disabled.
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted – Only targeted network daemons are protected.
# strict – Full SELinux protection.
Configure Booleans instead of disabling entire SELinux
Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing.
For a list of Booleans and whether they are on or off, run as root user.
In the following example, the httpd_can_sendmail is off:
# getsebool -a | grep sendmail
httpd_can_sendmail –> off
This prevents Apache from sending E-Mail.
Run the setsebool utility in the setsebool boolean_name on/off form to enable or disable Booleans.
The following example demonstrates configuring the httpd_can_network_connect_db Boolean:
By default, the httpd_can_network_connect_db Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:
Verify the Boolean is disabled:
httpd_can_network_connect_db –> off
To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, run as the Linux root user:
Verify the Boolean is enabled:
httpd_can_network_connect_db –> on
This change is not persistent across reboots. To make changes persistent across reboots, run the setsebool -P boolean-name on command as the Linux root user:
#setsebool -P httpd_can_network_connect_db on