Vultr DocsLatest Content

How to Disable SELinux on Rocky Linux 9

Updated on 04 April, 2025
How to Disable SELinux on Rocky Linux 9 header image

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) mechanism that enforces security policies on Linux systems. It regulates how applications, processes, and users interact with files and system resources. By default, SELinux is enabled on Rocky Linux to enhance system security by restricting unauthorized access.

While it is not recommended to disable SELinux on production systems, some applications may require it to be disabled due to compatibility issues. This guide explains how to check the SELinux status, temporarily disable SELinux, and permanently disable SELinux on Rocky Linux 8 and 9.

SELinux Modes

SELinux operates in three different modes.

  • Enforcing: SELinux policies are actively enforced, restricting unauthorized access. This mode is recommended for production systems.
  • Permissive: SELinux policies are not enforced, but violations are logged. This mode is useful for debugging and testing.
  • Disabled: SELinux policies are completely turned off. This mode is not recommended as it removes all access controls.
Note
Keep the SELinux policy in enforcing mode on Rocky Linux to keep your instance secure. Disabling SELinux may expose your instance to security risks. However, if your application is not compatible with SELinux, use permissive mode before fully disabling SELinux.

Prerequisites

Before you begin, you need to:

Check SELinux Status

SE Linux is enabled by default on Rocky Linux 9. Follow the steps below to check the default SELinux status before disabling it on your workstation.

  1. Check the SELinux status.

    console 
    $ sudo sestatus

    Your output should look like the one below.

    SELinux status:                 enabled
Current mode:                   enforcing

  2. The sestatus command outputs the system's SELinux status and Current mode. For a filtered output, use:

    console 
    $ sudo sestatus | grep 'SELinux status\|Current mode'

Temporarily Disable SELinux

Follow the steps below to temporarily disable SELinux until the next reboot.

  1. Temporarily disable SELinux.

    console 
    $ sudo setenforce 0

  2. Verify the SELinux status.

    console 
    $ sudo sestatus | grep 'SELinux status\|Current mode'

    Output:

    SELinux status:                 enabled
Current mode:                   permissive

    Based on the above output, the current mode is now permissive, and this change will persist until the next reboot. Reboot the system using sudo reboot and run sudo sestatus again to verify that the mode changes back to enforcing.

Permanently Disable SELinux

Permanently disabling SELinux is not recommended on Rocky Linux 9. Only disable SELinux if other security mechanisms such as Firewalls are enabled. Follow the steps below to permanently disable SELinux on your workstation.

  1. Open the main SELinux configuration file using a text editor such as nano.

    console 
    $ sudo nano /etc/selinux/config

  2. Find the SELINUX= directive and change its value to disabled:

    ini 
    # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled

    Save and close the file.

  3. Reboot the instance to apply the system changes.

    console 
    $ sudo reboot

  4. Verify that SELinux is disabled after rebooting the system.

    console 
    $ sudo sestatus

    Output:

    SELinux status:                 disabled

    SELinux is now disabled based on the above output. The change persists across reboots, meaning SELinux will remain disabled unless you manually re-enabled again. Any new modifications to the /etc/selinux/config file require a system reboot to take effect.

  5. Check the boot parameters to verify that SELinux is fully disabled at the kernel level.

    console 
    $ cat /proc/cmdline | grep selinux
    Note
    After permanently disabling SELinux, security policies will no longer be enforced. If you need to re-enable SELinux, modify the /etc/selinux/config file and reboot your instance to apply the changes.

Conclusion

You have disabled SELinux on Rocky Linux 9. You temporarily disabled SELinux and permanently disabled it by modifying the main configuration file. If your application requires SELinux to be disabled, consider using permissive mode first to retain access logs. Disabling SELinux removes important security controls, as a result, ensure that alternative security measures are enabled to secure your system. Run the man selinux command for more information and command options.

Tags:

Comments

No comments yet.