Knowledgebase

How to Disable SELinux Print

  • 0

How to Disable SELinux


You’ve setup a new system, or installed something new on your Linux system and its not working. You get the feeling that SELinux is the cause of the problem. This page was written to help.

Overview

SELinux has two major components on your system. There’s the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there’s file labels : every file on your system has extra labels attached to it which tie-in with those access rules. Run ls -Z and you’ll see what I mean.

 

Should you really disable SELinux?

Be aware that by disabling SELinux you will be removing a security mechanism on your system. Think about this carefully, and if your system is on the Internet and accessed by the public, then think about it some more.


 

You need to decide if you want to disable SELinux temporarily to test the problem, or permanently switch it off. It may also be a better option to make changes to the policy to permit the operations that are being blocked – but this requires knowledge of writing policies and may be a steep learning curve for some people. For the operating system as a whole, there is two kinds of disabling:

  • Permissive – switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/changed is still active.
  • Disabled – SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with.

Disabling SELinux could lead to problems if you want to re-enable it again later. When the system runs with file labelling disable it will create files with no label – which could cause problems if the system is booted into Enforcement mode. A full re-labelling of the file system will be necessary.

 

Temporarily switch off enforcement

You can switch the system into permissive mode with the following command:
echo 0 >/selinux/enforce

You’ll need to be logged in as root, and in the sysadm_r role:
newrole -r sysadm_r

To switch back into enforcing mode:
echo 1 >/selinux/enforce

In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above.

To check what mode the system is in:
cat /selinux/enforce

which will print a “0” or “1” for permissive or enforcing – probably printed at the beginning of the line of the command prompt.

 

Permanently Permissive

The above will switch off enforcement temporarily – until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:

 


Was this answer helpful?
Back