Let’s run a few commands to disable or turn off the SELinux on Rocky Linux 8 using the command terminal.
SELinux is now the standard in the Linux environment when it comes to the use of mandatory access control. Initially, the system had a reputation for being difficult to configure and only usable for experts. Those days are over. SELinux can now also be used and configured by “ordinary” admins.
Well, in a conventional system, there are many different programs that all need to run with root privileges in order to be able to do their job, but should not have full root privileges (why should Apache have access to the mail pool files, for example?). SELinux is based on the TE principle (Type Enforcement): all resources are assigned to specific domains and access rules are defined on them. In short- all files are labeled, i.e. assigned to a specific domain; this means, for example, that all files belonging to Apache can be assigned the “apache_t” type. The Apache binary is also plugged into this domain. If the rest of the system is set up correctly, Apache can only access the data that is in its domain; any access to files located within other domains (e.g. “postfix_t”) is prevented by the kernel.
Hence, if any service is running with the wrong security policy, files in the incorrect domain, any security breach detection- SELinux restricts the access/function of that particular file or services.
This security layer of the Linux system stores the logs for all activities related to it at /var/log/audit/audit.log
Now, what is the need for disabling SELinux?
Many times, we need to run applications that don’t support SELinux, hence we either need to disable it permanently or put it in a permissive mode to avoid it from terminating any key process we required to install some particular application.
Steps to Disable SELinux on Rocky Linux
1. Requirements
• RedHat based Linux distros such as Rocky Linux 8
• A non-root user with sudo access
• Command terminal
2. SELinux Modes
There are three modes in which it works, here are those:
enforcing – It means the SELinux security policy is enforced.
permissive – This will put SELinux services on hold and prints warnings instead of enforcing to stop any unwanted process.
disabled – No SELinux policy is loaded.
3. Check the status of SELinux on Rocky Linux
Before going further to turn off the SELinux, first let’s know what is the current situation or state of it. For that go to the command terminal and run:
sestatus
If Current and Mode form config files are set to “Enforcing” mode this means SELinux is enabled and actively restricting the unwanted process.
4. Disable SELinux Temporarily or Enable Premmisve mode
If we get some error in installing a program due to SELinux then either we must set its Policy to allow the process or put it in “Premmisve” mode for your current session. This will halt your system’s SELinux security policies until the next system reboot. In short, disables it temporarily and will revert back to enforcing mode as soon as you restart your system.
sudo setenforce 0
To check you can again run the command- sestatus
and in the screenshot, you can see the “current mode” of the system is set to “Permissive“.
5. Enable Permanent Disable or Permissive mode
Well, running the command given above will set things for temporary. So, if you want to disable SELinux permanently or put it in Permissive mode, that remains unchanged even after the system reboot. Then we have to edit the “/etc/sysconfig/selinux
“.
sudo dnf -y install nano sudo nano /etc/sysconfig/selinux
By default, the mode is set to ‘enforcing’.
For permanent disable and permissive mode simply set SELINUX=disbaled
or SELINUX=permissive
as per your choice.
Save the file Ctrl+O, hit the Enter key, and then Ctrl+X to exit the file.
6. Restart your system
To apply the changes we have done by editing the SELinux file, simply reboot your Rocky Linux system.
sudo reboot
7. Check current mode
Once you are again on your system’s terminal, run the command to check the current status to confirm SELinux is set to permanent or disable mode.
sestatus
Ending Note:
By following this tutorial you will be able to disable SELinux on your Rocky Linux, nevertheless, it is recommended to use permissive messive mode instead going for disable mode.
Shouldn’t the service auditd also be disabled when disabling SELinux?