Disable SeLinux permanently
Solution 1
you need to set it in /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
The correct location to pass selinux=0 as kernel boot paramater is in /etc/grub.conf
kernel /boot/vmlinuz-2.6.32-358.2.1.el6.x86_64 ro root=/dev/xvda1 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto console=tty0 selinux=0
PS SELinux should be only set to permissive
to debug a problem, run it in permissive
see what gets logged to /var/log/audit.log
fix the denials then switch it back to enforcing
do not run it in permissive or disabled long term.
Solution 2
Setting SELINUX=disabled
in the file /etc/sysconfig/selinux
should be enough. You can also disable it from the kernel. Edit the file /etc/default/grub
and add selinux=0
to the GRUB_CMDLINE_LINUX
variable and update your GRUB configuration:
shell# grub2-mkconfig -o /etc/grub2.cfg
After rebooting, check SELinux status. The getenforce
command should print Disabled
.
Programster
Updated on September 18, 2022Comments
-
Programster over 1 year
I am running a virtualbox CentOS 6.4 (64 bit) server with Cobbler service. One of the steps is to disable SeLinux in order to prevent a python error when running
service cobblers start
. If I runsetenforce 0
everything is fine, but I have to run that command every time the server restarts. I tried changing/etc/sysconfig/selinux
toSELINUX=disabled
and alsoSELINUX=permissive
before restarting, but sestatus keeps showing that centOS starts with selinux running. Do I need to change a different config file, or have I configured the selinux file incorrectly?Youtube video showing selinux config file, rebooting and then checking status
-
Programster about 11 yearsIt seems like this guy has the same issue in fedora: serverfault.com/questions/500957/…
-
tgharold almost 11 yearsDisabling SELinux is never the right answer. You should put it into Permissive mode, then use "sealert -a /var/log/audit/audit.log" to see what would be blocked in "Enforcing" mode. Remedy those issues with either "restorecon" (mislabeled files), setting SELinux booleans, or using audit2allow to create a custom policy for your system.
-
-
Programster about 11 yearsOk well I have rebooted and used 'getenforce' instead of sestatus. It outputs Enforcing. Here is a video to show: youtu.be/hZzP-kOtGfU
-
Spack about 11 yearsI've edited my answer.
-
Programster about 11 yearsIt appears that I do not have a /etc/default/grub file. Perhaps I need to edit the /etc/grub.conf file? There is no GRUB_CMDLINE_LINUX variable in there though. Also grub2-mkconfig -o /etc/grub2.cfg resulted in
grub2-mkconfig: command not found
Perhaps I should let you know that I am running a bare minimal centos 6.4 net-install... -
Programster almost 11 yearsWhen I originally read this answer I had not properly read the paths. I needed to change /etc/selinux/config instead of /etc/sysconfig/selinux as you stated.
-
maxschlepzig over 4 years@Programster, CentOS 6 is on Grub 1, IIRC. Thus, this part only works on CentOS 7 and later.