SELinux is Security-Enhanced Linux is a security module that enforces access control policies on a Linux system. SELinux adds an extra layer of protection, it can also interfere with applications, custom scripts, or server configurations. This is where you need to disable SELinux.
This guide helps you learn all about SELinux, how it works, how to check the current status, and how to safely disable it.
SELinux Modes Explained: Enforcing, Permissive, and Disabled
SELinux operates in either one of the three modes; enforcing, permissive, or disabled. This is how each of the security practices are applied:
- Enforcing: This is the default mode on most of the systems. The SELinux enforces its security policies strictly by blocking and logging any authorized access attempts.
- Permissive: SELinux policies are not enforced, but the violations are still logged. This mode is usually useful for debugging or testing without breaking the functionality.
- Disabled: On disabled mode, the SELinux is completely turned off. No access control or logging out occurs.
Understanding these modes will help you decide if you want to disable SELinux or set it on permissive for troubleshooting.
Check SELinux Status on Your System
Before making any changes, it is essential to check the present SELinux mode. You can use the sestatus command to do this.
Alternatively, view the configuration file:
Get exclusive access to all things tech-savvy, and be the first to receive
the latest updates directly in your inbox.
cat /etc/selinux/config
Look for the SELINUX= line, which shows whether SELinux is set to enforcing, permissive, or disabled at boot time.
How to Temporarily Disable SELinux (Until Reboot)
To disable SELinux without rebooting the system, switch it to permissive mode:
sudo setenforce 0
To confirm the change:
getenforce
Output should be:
Permissive
This change is only applicable till the next reboot and is useful only when you want to test if SELinux is causing issues without making any permanent changes.
Related Article: Who Command In Linux – Syntax, Commands, and Troubleshooting Guide

How to Permanently Disable SELinux (Modify Config File)
To fully disable SELinux, you need to edit its configuration file. Here’s how:
- Open the config file in a text editor:
sudo nano /etc/selinux/config
- Locate the line:
SELINUX=enforcing
- Change it to:
SELINUX=disabled
- Save and exit the file.
- Reboot the system to apply the change:
sudo reboot
After rebooting, run sestatus again to confirm that SELinux is disabled:
SELinux status: disabled
Disabling SELinux on RHEL, AlmaLinux, and Rocky Linux
RHEL, AlmaLinux, and Rocky Linux all manage SELinux in the same way because they’re based on the Red Hat Enterprise Linux ecosystem. To disable SELinux on any of these:
- Edit the configuration file:
sudo nano /etc/selinux/config
- Change this line:
SELINUX=enforcing
to:
SELINUX=disabled
- Save the file and reboot your system:
sudo reboot
- After rebooting, verify with:
sestatus
The output should ideally say SELinux status: disabled.
These steps are uniform across all the OS, making it super simple to manage SELinux consistently.
Risks and Considerations Before Disabling SELinux
While disabling SELinux is super easy, it is important to understand the risks that are associated with it.
- Reduced system security: SELinux enforces necessary access control that could prevent many types of attacks.
- Compliance risks: Disabling SELinux can violate the organizational or regulatory security policies.
- No visibility into blocked access: Once disabled, you could potentially lose audit logs that can help identify misconfigurations.
- False sense of security: Turning it off only fixes the symptoms, but not the root cause of permission issues.
When to avoid disabling it:
- In production systems
- On internet-facing servers
- In regulated environments (HIPAA, PCI-DSS, etc.)
Instead of the disabled mode, one should always consider the permissive mode or write custom SELinux policies as safer alternatives.
Alternatives to Disabling SELinux (Policy Tweaks and Permissive Mode)
Instead of just disabling the SELinux completely, you can try much more safer options, such as:
- Using Permissive Mode (Recommended for Debugging)
Switching to permissive mode temporarily to see what SELinux is blocking without enforcing rules:
sudo setenforce 0
You can also make this persistent by setting SELINUX=permissive in /etc/selinux/config.
- Allow SELinux Booleans
SELinux has toggles for enabling and disabling certain behaviors. You can view them by:
getsebool -a
Enable a boolean with:
sudo setsebool -P httpd_can_network_connect on
- Generate Custom Policies
Use tools like audit2allow to convert denied logs into rules:
sudo grep AVC /var/log/audit/audit.log | audit2allow -M mymodule
sudo semodule -i mymodule.pp
This lets you solve issues without removing SELinux’s protection entirely.
Verifying SELinux Is Disabled
After making changes and rebooting, always verify SELinux’s status:
- Using sestatus:
sestatus
Expected output:
SELinux status: disabled
- Using getenforce:
getenforce
Expected output:
Disabled
- Check config file directly:
cat /etc/selinux/config
Make sure it reads:
SELINUX=disabled
If you still see enforcing or permissive, the system may not have rebooted, or the config file wasn’t saved properly.
Conclusion: When and How to Disable SELinux Responsibly
Disabling SELinux can solve compatibility and access issues, especially when you are running custom applications or services that are not configured for strict security policies. This is why it is important to understand and recognize SELinux’s impact on your defense systems.
What is the difference between disabling and setting SELinux to permissive?
Disabling SELinux turns it off completely. In permissive mode, SELinux doesn’t enforce policies but still logs access violations — making it safer for debugging and development.
How do I disable SELinux permanently?
To disable SELinux permanently, edit /etc/selinux/config
and change SELINUX=enforcing
to SELINUX=disabled
, then reboot your system for the changes to apply.
Is it safe to disable SELinux on a production server?
Disabling SELinux reduces your system’s security. It is generally not recommended in production unless absolutely necessary. Instead, consider permissive mode or adjusting SELinux policies.