How to Disable SELinux on RHEL and CentOS Linux

How to disable SELinux on CentOS and RHEL — enforcing, permissive, and disabled mode diagram

IAMEM HOSTING HOST

February 14, 2016 No Comments

SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system built into the Linux kernel that provides an additional layer of security on Red Hat, CentOS, AlmaLinux, and Rocky Linux servers. While it is a powerful security tool, SELinux can interfere with certain applications — particularly web servers, mail servers, and custom software — that have not been configured with SELinux policies in mind.

This guide covers three approaches in order of preference: temporarily disabling SELinux (no reboot needed), switching to Permissive mode (logs but does not block), and permanently disabling it (requires a reboot).

⚠️ Security note: Completely disabling SELinux reduces your server’s defence-in-depth. Consider using Permissive mode first to identify policy violations without disrupting services, then either fix the policies or disable only for specific applications using semanage.

Check the Current SELinux Status

Before making any changes, check the current SELinux mode:

sestatus

You will see one of three modes: Enforcing (active, blocking), Permissive (logging only), or Disabled.

Option 1: Temporarily Disable SELinux (No Reboot)

Use setenforce to switch SELinux to Permissive mode immediately without a reboot. This is useful for troubleshooting — if your application starts working after this, SELinux was the cause:

# Switch to permissive (logs but does not block)
setenforce 0

# Verify
getenforce
# Output: Permissive

Note: This change is lost on reboot. The server will return to whichever mode is set in the config file after a restart.

Option 2: Permanently Disable SELinux (Requires Reboot)

To permanently disable SELinux, edit the SELinux configuration file. On RHEL/CentOS 6 and 7, the file is /etc/sysconfig/selinux (which is a symlink to /etc/selinux/config — both point to the same file):

vi /etc/selinux/config

Find the SELINUX= line and change it to disabled:

# Change this:
SELINUX=enforcing

# To this:
SELINUX=disabled

Save the file and reboot the server:

reboot

Verification After Reboot

After the server comes back online, confirm SELinux is fully disabled:

sestatus
# Output: SELinux status: disabled

getenforce
# Output: Disabled

SELinux Modes Explained

Mode	Behaviour	Use Case
Enforcing	Actively blocks policy violations	Production servers with defined policies
Permissive	Logs violations but does not block	Troubleshooting, policy development
Disabled	Completely off — no logging or enforcement	Legacy apps or when policies cannot be written

Troubleshooting: Application Still Blocked After Permissive Mode?

If switching to Permissive mode solves the problem, check the SELinux audit log to identify exactly which policies are being violated — then you can fix just those rules without fully disabling SELinux:

# View recent SELinux denials
grep "avc: denied" /var/log/audit/audit.log | tail -20

# Generate a human-readable policy suggestion
audit2why < /var/log/audit/audit.log

# Auto-generate and apply a custom policy module
audit2allow -a -M mypolicy
semodule -i mypolicy.pp

Recommended Services

Supported Scripts