quick-docs/modules/ROOT/pages/_partials/proc_disabling-selinux.adoc

// Module included in the following assemblies:
//
// changing-selinux-states-and-modes.adoc

[#{context}-disabling-selinux]
= Disabling SELinux

When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in xref:{context}-benefits-of-selinux[Benefits of SELinux] are lost.

[IMPORTANT]
====
It is recommended to use permissive mode instead of permanently disabling SELinux. See xref:{context}-changing-to-permissive-mode[] for more information about permissive mode.
====

.Prerequisites

* The [package]`grubby` package is installed:
+
[subs="quotes"]
----
$ *rpm -q grubby*
grubby-_version_
----

.Procedure

To permanently disable SELinux:

. Configure your bootloader to add `selinux=0` to the kernel command line:
+
[subs="quotes"]
----
$ *sudo grubby --update-kernel ALL --args selinux=0*
----

. Restart your system:
+
[subs="quotes"]
----
$ *reboot*
----

.Verification step

* After reboot, confirm that the [command]`getenforce` command returns `Disabled`:
+
[subs="quotes"]
----
$ *getenforce*
Disabled
----
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`// Module included in the following assemblies:`
			`//`
			`// changing-selinux-states-and-modes.adoc`

Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00			`[#{context}-disabling-selinux]`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`= Disabling SELinux`

Change a link to an xref in Disabling SELinux 2020-11-09 20:24:44 +00:00			`When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in xref:{context}-benefits-of-selinux[Benefits of SELinux] are lost.`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
			`[IMPORTANT]`
			`====`
Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`It is recommended to use permissive mode instead of permanently disabling SELinux. See xref:{context}-changing-to-permissive-mode[] for more information about permissive mode.`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`====`

Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`.Prerequisites`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			* The [package]`grubby` package is installed:
			`+`
			`[subs="quotes"]`
			`----`
			`$ rpm -q grubby`
			`grubby-_version_`
			`----`

			`.Procedure`

			`To permanently disable SELinux:`

			. Configure your bootloader to add `selinux=0` to the kernel command line:
			`+`
Fix quoting in SELinux code blocks Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 20:14:11 +00:00			`[subs="quotes"]`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`$ sudo grubby --update-kernel ALL --args selinux=0`
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00			`----`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`. Restart your system:`
Update instructions for disabling and re-enabling SELinux The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 14:55:18 +00:00			`+`
			`[subs="quotes"]`
			`----`
Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`$ reboot`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`

Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`.Verification step`

			* After reboot, confirm that the [command]`getenforce` command returns `Disabled`:
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`+`
Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`[subs="quotes"]`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`$ getenforce`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`Disabled`
			`----`