Is it Safe/Recommended to Disable SELinux?

Disabling SELinux is not a recommended course of action as it is not actually addressing security issues directly. Disabling SELinux is often done as an easy solution instead of correctly working with SELinux contexts. You could think of disabling SELinux on a system as similar to disabling a firewall on a system in order to avoid blocking certain traffic. A huge hole is opened instead of making a single specific adjustment.

Disabling SELinux will disable all SELinux functions including file and process labelling. If re-enabled later this will likely be problematic because new files will have been created without the proper labelling.

SELinux Modes

If on a system SELinux is enabled, you can select to put SELinux in enforcing mode or in permissive mode. In enforcing mode, SELinux is fully operational and enforcing all SELinux rules in the policy. If SELinux is in permissive mode, all SELinux-related activity is logged, but no access is blocked. This makes SELinux permissive mode an excellent mode to do troubleshooting. Permissive mode is also a great way to do something and see the result from an SELinux perspective by analyzing the messages that are written to /var/log/audit/audit/log.

Disable SELinux while booting

To set the default SELinux mode while booting, use the file /etc/sysconfig/selinux. Set “SELINUX=enforcing” in this file to disable SElinux on next reboot. Example file is shown below:

# cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#      enforcing - SELinux security policy is enforced.
#      permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
#      targeted - Targeted processes are protected,
#      minimum - Modification of targeted policy. Only selected
         processes are protected.
#      mls - Multi Level Security protection.

As you can see, in this file, which is read while booting, you can choose to put SELinux in enforcing, permissive, or disabled mode. To view the current status of SELinux use the “sestatus” command:

# sestatus

Disabling SELinux temporarily

To disable SElinux on the fly (temporarily,) there’s a relatively easy command:

# setenforce Permissive

But this will change again at boot-time.