mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-10-19 01:35:42 +00:00
65925232d5
The kernel functionality that allowed to disable SELinux by changing /etc/selinux/config is now deprecated and will be removed in F34 [1]. While setting SELINUX=Disabled will still lead to a similar state even after the removal, it is better to guide users to disable SELinux via kernel boot parameters, which will actually disable SELinux completely (as in no SElinux code is executed by the kernel). [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
35 lines
1.3 KiB
Text
35 lines
1.3 KiB
Text
// Module included in the following assemblies:
|
|
//
|
|
// changing-selinux-states-and-modes.adoc
|
|
|
|
[#{context}-disabling-selinux]
|
|
= Disabling SELinux
|
|
|
|
When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux[Benefits of SELinux] are lost.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
It is recommended to use permissive mode instead of permanently disabling SELinux. See <<{context}-changing-to-permissive-mode>> for more information about permissive mode.
|
|
====
|
|
|
|
To permanently disable SELinux, follow the procedure below:
|
|
|
|
This procedure assumes that the [package]*grubby* package is installed. To verify that it is installed, use the following command:
|
|
[subs="quotes"]
|
|
----
|
|
~]$ rpm -q grubby
|
|
----
|
|
|
|
. Configure your bootloader to add `selinux=0` to the kernel command-line:
|
|
+
|
|
[subs="quotes"]
|
|
----
|
|
~]# grubby --update-kernel ALL --args selinux=0
|
|
----
|
|
|
|
. Reboot your system. After reboot, confirm that the [command]`getenforce` command returns `Disabled`:
|
|
+
|
|
----
|
|
~]$ getenforce
|
|
Disabled
|
|
----
|