Disable SELinux on CentOS 7 / RHEL 7 / Fedora Linux

Originally published at: https://www.cyberciti.biz/faq/disable-selinux-on-centos-7-rhel-7-fedora-linux/

I need to disable SELinux on CentOS 7. How can I disable SELinux from the command line over ssh based session?

Why would you want to disable SELinux? True, there is the use case where some kind of installation or other task requires it to be allowed without SELinux. But the warning in this article is not sufficient notice that disabling security features is not a valid administrative tactic. I am waiting for the next article here that explains how to solve common problems SELinux causes. One tip: every selinux user should be familiar with the getsebool -a command.

1 Like

I’m hoping for some SELinux guidance and this thread was the only one that seemed to address SELinux. I work for a commercial food service equipment manufacturer and many of our user interfaces use embedded touch-screen controls with applications running in Linux. Recently, we were asked if we have enabled SELinux features in our Linux kernel. We have not. I was told by some of our developers this isn’t necessary on the types of embedded systems we’re developing and putting in the field (restaurants, hospitals, convenience stores…). Do I need SELinux enabled on these types of equipment applications? I understand some of the advantages, but can someone help me justify if this is needed? Note - I’m not a programmer or a EE. I manage the controls sourcing and development for our company with over 100 divisions worldwide.

@ChuckG
Welcome @ChuckG to nixCraft forum!

There is no reason to disable SELinux local or remote system as it provides an additional layer of system security. Some advantages:

  • All processes and files are labeled. SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.

  • Fine-grained access control. Stepping beyond traditional UNIX permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a security level.

  • SELinux policy is administratively-defined and enforced system-wide.

  • Improved mitigation for privilege escalation attacks. Processes run in domains, and are therefore separated from each other. SELinux policy rules define how processes access files and other processes. If a process is compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to. For example, if the Apache HTTP Server is compromised, an attacker cannot use that process to read files in user home directories, unless a specific SELinux policy rule was added or configured to allow such access.

  • SELinux can be used to enforce data confidentiality and integrity, as well as protecting processes from untrusted inputs.

However, SELinux is not:

  • antivirus software,

  • replacement for passwords, firewalls, and other security systems,

  • all-in-one security solution.

SELinux is designed to enhance existing security solutions, not replace them. Even when running SELinux, it is important to continue to follow good security practices, such as keeping software up-to-date, using hard-to-guess passwords, or firewalls. In short, when in doubt keep it enabled.

Please excuse my naïve knowledge of Linux and SELinux. I need a more layperson view of how having SELinux enabled in our applications on commercial food service equipment improves security? Security from who? Most of our equipment is operated by a 16 year old kid at a McDonalds or other restaurant. Managers have to enter passcodes to get to advanced settings, but I’m wondering how some of the enhanced security solutions benefit security of our equipment and our applications. To be honest, our developers are resisting enabling SELinux because they claim it would add significant programming time. They also claim future changes may be more difficult if programmers change. I’m merely looking for reasons to justify the potential enhanced programming time required or tell me my developers are full of crap and that enabling doesn’t add cost to the product and is not a significant increase to development time. I’m not even sure how it would be enabled, although I believe you have to go through RedHat or similar - am I correct? You’ve provided plenty of reasons to consider enabling SELinux, but I’m still not seeing how it benefits our type of use of Linux with commercial food service equipment. I hope I’ve explained better what type of advise I’m looking for. Thank you!