How to Disable SELinux on Rocky Linux 9
Security-Enhanced Linux (SELinux) implements a mandatory access control (MAC) framework that strictly enforces security rules across Linux systems. On Rocky Linux 9, SELinux is activated by default to prevent unauthorized system activities. However, certain software may not function properly under these restrictions, which could necessitate turning off SELinux temporarily or permanently.
Although it’s generally advised to keep SELinux active in production settings, some compatibility problems may require deactivation. This guide outlines how to check the current SELinux status and provides instructions to disable it either temporarily or permanently on Rocky Linux 8 and 9.
SELinux Operating Modes
SELinux supports three distinct operational modes:
- Enforcing: Applies all security policies. Recommended for production environments.
- Permissive: Logs policy violations without enforcing restrictions. Helpful for testing and debugging.
- Disabled: Turns off all SELinux controls. Not recommended as it removes all enforcement mechanisms.
Note: Keeping SELinux in enforcing mode is the best way to secure your Rocky Linux system. Use permissive mode if your application is not compatible before choosing to fully disable SELinux.
Requirements
Before starting, ensure you have:
- A Rocky Linux 9 system
- Non-root user access with sudo privileges
Checking SELinux Status
On Rocky Linux 9, SELinux is enabled by default. To verify its current status, execute the command below:
$ sudo sestatus
The expected output includes the following lines:
SELinux status: enabledCurrent mode: enforcing
To display only the status and mode, use:
$ sudo sestatus | grep 'SELinux status\|Current mode'
Temporarily Turning Off SELinux
To disable SELinux temporarily—until the next system reboot—use the following command:
$ sudo setenforce 0
To confirm the change:
$ sudo sestatus | grep 'SELinux status\|Current mode'
Output:
SELinux status: enabledCurrent mode: permissive
This temporary mode remains in effect only until the next reboot. After restarting with sudo reboot, the mode reverts to enforcing unless changed again.
Permanently Disabling SELinux
Disabling SELinux permanently should only be considered when other security layers like firewalls are in place. To proceed:
- Open the SELinux config file using a text editor:
$ sudo nano /etc/selinux/config
2. Locate the line with SELINUX= and change it to:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
3. Save and exit the file.
4. Reboot your machine:
$ sudo reboot
5. After rebooting, confirm that SELinux is turned off:
$ sudo sestatus
You should now see:
SELinux status: disabled
This confirms that SELinux is completely disabled, and the change will remain even after reboots unless manually reversed.
Confirming Kernel-Level SELinux Deactivation
To ensure that SELinux has been disabled at the kernel level, run:
$ cat /proc/cmdline | grep selinux
Note: Once SELinux is permanently turned off, no security rules will be enforced. If needed, re-enable it by editing the config file and rebooting your system.
Conclusion
You’ve now successfully deactivated SELinux on Rocky Linux 9, both temporarily and permanently. Before opting to fully disable it, try using permissive mode to preserve audit logs. Disabling SELinux reduces your system’s built-in defenses, so always ensure other protective measures are in place. To learn more, refer to the manual by running man selinux.
