Switching SELinux off on CentOS 5

Posted in Linux/Unix/BSD -

Security-Enhanced Linux, also know as SELinux, implements various security policies on Linux and additional levels of access crontrol. It was originally developed by the U.S. National Security Agency to adhere to the "Orange Book" guidelines. On CentOS 5 it is enabled by default, but there may be circumstances where you don't need SELinux's additional security and may want to disable it.

The SELinux configuration file on CentOS is located at /etc/selinux/config and after a default install looks like this:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

To disable SELinux you need to change "SELINUX=enforcing" to "SELINUX=disabled" so that the configuration file now looks like this:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

This would then disable SELinux on your next reboot. To change the SELinux setting right now, without having to reboot, you can use the setenforce command like so:

setenforce 0

However this will only put SELinux into permissive mode until the next reboot, meaning that SELinux is running and logging but not actually controlling permissions. To make the change permanant, and to disable SELinux completely, you need to modify the configuration file as detailed above and reboot.

It's also possible to change the SELinux setting without editing the configuration file manually, by running the following command:

/usr/bin/system-config-securitylevel-tui

This displays a dialog like so, which allows you to change the SELinux settings, and make some very basic firewall settings changes:

             Firewall Configuration

A firewall protects against unauthorized
network intrusions. Enabling a firewall blocks
all incoming connections. Disabling a firewall
allows all connections and is not recommended.

  Security Level: (*) Enabled ( ) Disabled

            SELinux: Enforcing
                     Permissive
                     Disabled


   OK           Customize          Cancel

Normally you wouldn't want or need to change or disable SELinux; this is just a guide in case you do need to for some reason or other.




Comments