How to enable/disable SELinux on a server

To temporary change SELinux mode on a server (until next server reboot if not changed back manually), use the setenforce command with the parameters 0 (permissive mode) and 1 (enforcing mode):

• permissive (option 0) - The SELinux system prints warnings, but does not enforce policy. Commonly used for troubleshooting.

• enforcing (option 1) - The SELinux security policy is enforced.

   

  To change SELinux mode to "permissive"

  1. Connect to a server via SSH.

  2. Run the command:

     # setenforce 0

  3. Check the current status of SELinux:

     # sestatus | grep "Current mode"
     Current mode: permissive

      

  To set SELinux back to "enforcing", run

  # setenforce 1

1. Connect to a server via SSH.

2. Open the file /etc/selinux/config in any text editor. In this example, we are using the vi utility:

   # vi /etc/selinux/config

3. Change the SELINUX value to:

   • disabled to completely turn off SELinux on the server:

     SELINUX=disabled

   • permissive to make SELinux print warnings instead of enforce security policy:

     SELINUX=permissive

   • enforcing to make SELinux security policy enforced:

     SELINUX=enforcing

4. Save the changes and close the file.

5. Restart the server to apply the changes.

6. Check the permanent status of SELinux:

   # sestatus | grep "Mode from config file"
   Mode from config file: permissive