How do I disable SELinux

[Ximen]

hi
i want to know how do I disable SELinux .some one told me that can be done but i got no detailes about that please tell me how to do disable SELinux .
thank you.

[Steve123]

hi
Enhanced Linux (SELinux) is security patch applied to Linux kernel. When enabled in the kernel it follows the the principle of least privilege. It is an implementation of mandatory access control using Linux Security Modules
Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.
so i dont know why you want to disable selinux.?

well
how do I turn it off or disable SELinux enforcement?

Selinux can be disabled by passing kernel boot parameters. You need to open grub.conf (menu.lst) or lilo.conf and append selinux=0:

For example here is my sample grub.conf file:

title Debian GNU/Linux, kernel 2.6.13-web100 Default
root (hd0,0)
kernel /boot/vmlinuz-2.6.13-web100 root=/dev/hdb1 ro selinux=0
initrd /boot/initrd.img-2.6.13-web100
savedefault
boot

Save file and reboot Linux system. Another option is use setenforce command

[Spyrus]

hi
main there is two kinds of disabling:

* Permissive - switch the SELinux kernel into a mode where every operation is allowed. Operations that would be denied are allowed and a message is logged identifying that it would be denied. The mechanism that defines labels for files which are being created/changed is still active.
* Disabled - SELinux is completely switched off in the kernel. This allows all operations to be permitted, and also disables the process which decides what to label files & processes with.

Temporarily switch off enforcement
You can switch the system into permissive mode with the following command:

echo 0 >/selinux/enforce

You'll need to be logged in as root, and in the sysadm_r role:

newrole -r sysadm_r

To switch back into enforcing mode:

echo 1 >/selinux/enforce

In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above.

To check what mode the system is in,

cat /selinux/enforce

which will print a "0" or "1" for permissive or enforcing - probably printed at the beginning of the line of the command prompt.

[Spyrus]

Permanently Permissive
The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:

# This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=enforcing
SELINUXTYPE= can take one of these two values:
targeted - Only targeted network daemons are protected.
strict - Full SELinux protection.
SELINUXTYPE=targeted

just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end.

[Zachary]

Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:

This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=disabled
SELINUXTYPE= can take one of these two values:
targeted - Only targeted network daemons are protected.
strict - Full SELinux protection.
SELINUXTYPE=targeted

and then reboot the system.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add selinux=0 at the end. For example,

title SE-Linux Test System
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0
initrd /boot/initrd-2.4.20-selinux-2003040709.img

You will have to reboot to disable SELinux, you just can't do it while the system is running.

[Snake08]

How to stop SELINUX

You can enable and disable SELinux enforcement in runtime or configure it for system boot, using the command line or GUI. There are three modes for SELinux to be in: disabled, meaning not enabled in the kernel; permissive, meaning SELinux is running and logging but not controlling permissions; enforcing, meaning SELinux is running and enforcing policy.

To toggle enforcement during runtime, use the setenforce [ 0 | 1 ] command. The 0 option turns enforcement off, the 1 option turns it on.

Eg.
# /usr/sbin/setenforce 0 ( to disable )
# /usr/sbin/setenforce 1 ( to enable )
This options only allow you to disable selinux from running system but after reboot it will activate again.

The other way to permanent disable SELINUX is disable it from config file /etc/selinux/config or /etc/sysconfig/selinux

#SELINUX=enforcing
SELINUX=disabled

Change the status to disabled then reboot.

How to check SELINUX status?

# /usr/sbin/sestatus