How to Disable SELinux Safely on Linux Systems

Disable SELinux

Table of Contents

Get up to 50% off now

Become a partner with CyberPanel and gain access to an incredible offer of up to 50% off on CyberPanel add-ons. Plus, as a partner, you’ll also benefit from comprehensive marketing support and a whole lot more. Join us on this journey today!

SELinux is Security-Enhanced Linux is a security module that enforces access control policies on a Linux system. SELinux adds an extra layer of protection, it can also interfere with applications, custom scripts, or server configurations. This is where you need to disable SELinux. 

This guide helps you learn all about SELinux, how it works, how to check the current status, and how to safely disable it. 

SELinux Modes Explained: Enforcing, Permissive, and Disabled

SELinux operates in either one of the three modes; enforcing, permissive, or disabled. This is how each of the security practices are applied: 

  • Enforcing: This is the default mode on most of the systems. The SELinux enforces its security policies strictly by blocking and logging any authorized access attempts. 
  • Permissive: SELinux policies are not enforced, but the violations are still logged. This mode is usually useful for debugging or testing without breaking the functionality. 
  • Disabled: On disabled mode, the SELinux is completely turned off. No access control or logging out occurs. 

Understanding these modes will help you decide if you want to disable SELinux or set it on permissive for troubleshooting. 

Check SELinux Status on Your System

Before making any changes, it is essential to check the present SELinux mode. You can use the sestatus command to do this. 

Alternatively, view the configuration file:

Tech Delivered to Your Inbox!

Get exclusive access to all things tech-savvy, and be the first to receive 

the latest updates directly in your inbox.

cat /etc/selinux/config

Look for the SELINUX= line, which shows whether SELinux is set to enforcing, permissive, or disabled at boot time.

How to Temporarily Disable SELinux (Until Reboot)

To disable SELinux without rebooting the system, switch it to permissive mode:

sudo setenforce 0

To confirm the change:

getenforce

Output should be:

Permissive

This change is only applicable till the next reboot and is useful only when you want to test if SELinux is causing issues without making any permanent changes. 

Related Article: Who Command In Linux – Syntax, Commands, and Troubleshooting Guide 

Enhance Your CyerPanel Experience Today!
Discover a world of enhanced features and show your support for our ongoing development with CyberPanel add-ons. Elevate your experience today!

How to Permanently Disable SELinux (Modify Config File)

To fully disable SELinux, you need to edit its configuration file. Here’s how:

  1. Open the config file in a text editor:

sudo nano /etc/selinux/config

  1. Locate the line:

SELINUX=enforcing

  1. Change it to:

SELINUX=disabled

  1. Save and exit the file.
  2. Reboot the system to apply the change:

sudo reboot

After rebooting, run sestatus again to confirm that SELinux is disabled:

SELinux status:                 disabled

Disabling SELinux on RHEL, AlmaLinux, and Rocky Linux

RHEL, AlmaLinux, and Rocky Linux all manage SELinux in the same way because they’re based on the Red Hat Enterprise Linux ecosystem. To disable SELinux on any of these:

  1. Edit the configuration file:

sudo nano /etc/selinux/config

  1. Change this line:

SELINUX=enforcing

to:

SELINUX=disabled

  1. Save the file and reboot your system:

sudo reboot

  1. After rebooting, verify with:

sestatus

The output should ideally say SELinux status: disabled.

These steps are uniform across all the OS, making it super simple to manage SELinux consistently. 

Risks and Considerations Before Disabling SELinux

While disabling SELinux is super easy, it is important to understand the risks that are associated with it. 

  • Reduced system security: SELinux enforces necessary access control that could prevent many types of attacks. 
  • Compliance risks: Disabling SELinux can violate the organizational or regulatory security policies. 
  • No visibility into blocked access: Once disabled, you could potentially lose audit logs that can help identify misconfigurations. 
  • False sense of security: Turning it off only fixes the symptoms, but not the root cause of permission issues. 

When to avoid disabling it:

  • In production systems
  • On internet-facing servers
  • In regulated environments (HIPAA, PCI-DSS, etc.)

Instead of the disabled mode, one should always consider the permissive mode or write custom SELinux policies as safer alternatives. 

Alternatives to Disabling SELinux (Policy Tweaks and Permissive Mode)

Instead of just disabling the SELinux completely, you can try much more safer options, such as: 

  1. Using Permissive Mode (Recommended for Debugging)

Switching to permissive mode temporarily to see what SELinux is blocking without enforcing rules: 

sudo setenforce 0

You can also make this persistent by setting SELINUX=permissive in /etc/selinux/config.

  1. Allow SELinux Booleans

SELinux has toggles for enabling and disabling certain behaviors. You can view them by: 

getsebool -a

Enable a boolean with:

sudo setsebool -P httpd_can_network_connect on

  1. Generate Custom Policies

Use tools like audit2allow to convert denied logs into rules:

sudo grep AVC /var/log/audit/audit.log | audit2allow -M mymodule

sudo semodule -i mymodule.pp

This lets you solve issues without removing SELinux’s protection entirely.

Verifying SELinux Is Disabled

After making changes and rebooting, always verify SELinux’s status:

  1. Using sestatus:

sestatus

Expected output:

SELinux status:                 disabled

  1. Using getenforce:

getenforce

Expected output:

Disabled

  1. Check config file directly:

cat /etc/selinux/config

Make sure it reads:

SELINUX=disabled

If you still see enforcing or permissive, the system may not have rebooted, or the config file wasn’t saved properly.

Conclusion: When and How to Disable SELinux Responsibly

Disabling SELinux can solve compatibility and access issues, especially when you are running custom applications or services that are not configured for strict security policies. This is why it is important to understand and recognize SELinux’s impact on your defense systems. 

What is the difference between disabling and setting SELinux to permissive?

Disabling SELinux turns it off completely. In permissive mode, SELinux doesn’t enforce policies but still logs access violations — making it safer for debugging and development.

How do I disable SELinux permanently?

To disable SELinux permanently, edit /etc/selinux/config and change SELINUX=enforcing to SELINUX=disabled, then reboot your system for the changes to apply.

Is it safe to disable SELinux on a production server?

Disabling SELinux reduces your system’s security. It is generally not recommended in production unless absolutely necessary. Instead, consider permissive mode or adjusting SELinux policies.

Marium Fahim
Hi! I am Marium, and I am a full-time content marketer fueled by an iced coffee. I mainly write about tech, and I absolutely love doing opinion-based pieces. Hit me up at [email protected].
Unlock Benefits

Become a Community Member

SIMPLIFY SETUP, MAXIMIZE EFFICIENCY!
Setting up CyberPanel is a breeze. We’ll handle the installation so you can concentrate on your website. Start now for a secure, stable, and blazing-fast performance!