Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM). Security Enhanced Linux (SELinux) provides an additional layer of system security.
we have two ways to check if SELinux is enabled or disabled in Linux.
Different types of selinux security policy in Linux
SELINUX= can take one of these three values:
enforcing – SELinux security policy is enforced.
permissive – SELinux prints warnings instead of enforcing.
disabled – No SELinux policy is loaded.
Check current SELINUX status with getenforce command in Linux
Use the getenforce to check in which mode SELinux is running.The getenforce command returns Enforcing, Permissive, or Disabled.
Check current SELINUX status with sestatus command in Linux
The sestatus command returns the SELinux status and the SELinux policy being used:
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
Temporary solution to disable SELinux in Linux
we can modify the mode SELinux is running in using the setenforce command.
For example, to put SELinux in enforcing mode, run:
sudo setenforce Enforcing
sestatus
To put SELinux in permissive mode
sudo setenforce Permissive
sestatus
getenforce
Permanently Disable SELinux in Linux
- Edit the /etc/selinux/config file, run: sudo vi /etc/selinux/config
- Set SELINUX to disabled: SELINUX=disabled
- Save and close the file in vi/vim. Reboot the Linux system: sudo reboot