Cobra Softwares Blog

Prerequisites

Before you begin, you need to:

• Have access to a Rocky Linux 9 instance as a non-root sudo user.

Check SELinux Status

SE Linux is enabled by default on Rocky Linux 9. Follow the steps below to check the default SELinux status before disabling it on your workstation.

1. Check the SELinux status.
   CONSOLE

   $ sudo sestatus
   

   Your output should look like the one below.

   SELinux status:                 enabled
   Current mode:                   enforcing

2. The sestatus command outputs the system’s SELinux status and Current mode. For a filtered output, use:
   CONSOLE

   $ sudo sestatus | grep 'SELinux status\|Current mode'
   

Temporarily Disable SELinux

Follow the steps below to temporarily disable SELinux until the next reboot.

1. Temporarily disable SELinux.
   CONSOLE

   $ sudo setenforce 0
   

2. Verify the SELinux status.
   CONSOLE

   $ sudo sestatus | grep 'SELinux status\|Current mode'
   

   Output:

   SELinux status:                 enabled
   Current mode:                   permissive

   Based on the above output, the current mode is now permissive, and this change will persist until the next reboot. Reboot the system using sudo reboot and run sudo sestatus again to verify that the mode changes back to enforcing.

Permanently Disable SELinux

Permanently disabling SELinux is not recommended on Rocky Linux 9. Only disable SELinux if other security mechanisms such as Firewalls are enabled. Follow the steps below to permanently disable SELinux on your workstation.

1. Open the main SELinux configuration file using a text editor such as nano.
   CONSOLE

   $ sudo nano /etc/selinux/config
   

2. Find the SELINUX= directive and change its value to disabled:
   INI

   # This file controls the state of SELinux on the system.
   # SELINUX= can take one of these three values:
   #     enforcing - SELinux security policy is enforced.
   #     permissive - SELinux prints warnings instead of enforcing.
   #     disabled - No SELinux policy is loaded.
   SELINUX=disabled
   

   Save and close the file.

3. Reboot the instance to apply the system changes.
   CONSOLE

   $ sudo reboot
   

4. Verify that SELinux is disabled after rebooting the system.
   CONSOLE

   $ sudo sestatus
   

   Output:

   SELinux status:                 disabled

   SELinux is now disabled based on the above output. The change persists across reboots, meaning SELinux will remain disabled unless you manually re-enabled again. Any new modifications to the /etc/selinux/config file require a system reboot to take effect.

5. Check the boot parameters to verify that SELinux is fully disabled at the kernel level.
   CONSOLE

   $ cat /proc/cmdline | grep selinux
   

   Note

   After permanently disabling SELinux, security policies will no longer be enforced. If you need to re-enable SELinux, modify the /etc/selinux/config file and reboot your instance to apply the changes.

Conclusion

You have disabled SELinux on Rocky Linux 9. You temporarily disabled SELinux and permanently disabled it by modifying the main configuration file. If your application requires SELinux to be disabled, consider using permissive mode first to retain access logs. Disabling SELinux removes important security controls, as a result, ensure that alternative security measures are enabled to secure your system. Run the man selinux command for more information and command options.