Security-enhanced Linux (SELinux) is a Linux kernel feature that provides a security
policy-based protection mechanism for access control. This topic describes how to
enable or disable SELinux and avoid system boot failures.
Prerequisites
An ECS instance is created from an Alibaba Cloud public image or a custom image.
Note If the custom image that you use was created from imported local files or migrated
from the source server in Server Migration Center (SMC), ensure that SELinux is disabled
on the source server before migration.
Background information
Typically, enabled SELinux can enhance system security. However, it can damage files
in the operating system and lead to system boot failures. If your enterprise or team
has high requirements on security and SELinux must be enabled for your operating systems,
you can perform operations in this topic to enable SELinux and avoid system boot failures.
In this topic, the CentOS 7.2 64-bit operating system is used.
Enable SELinux
- Remotely connect to an ECS instance as a root user. For more information, see Overview.
- Run the following command on an instance to modify the
config
file of SELinux:
- Find
SELINUX=disabled
, press the I
key to enter the edit mode, and then enable SELinux by modifying this parameter.
You can modify the parameter to one of the following modes:
SELINUX=enforcing
: indicates that all security policy violations will be prohibited.
SELINUX=permissive
: indicates that security policy violations will not be prohibited but will be recorded
in the operation logs.
- Press the
Esc
key and run the :wq
command to save and close the file.
Note After you modify the config
file, you must restart the instance for the modification to take effect. However,
if you restart the instance directly, the system may fail to start. You need to create
an autorelabel
file under the root directory before you restart the instance.
- Create the hidden
autorelabel
file under the root directory. After the instance is restarted, SELinux automatically
relabels all system files.
- Restart the ECS instance.
Check SELinux status
- Remotely connect to an ECS instance as a root user. For more information, see Overview.
- Run the
getenforce
command to check the status of SELinux.
The return value can be
enforcing
or
permissive
. The return value in this topic is
enforcing
.

- Run the
sestatus
command to query more information about SELinux.
If the return value of SELinux status
is enabled
, SELinux is enabled.
Disable SELinux
- Remotely connect to an ECS instance as a root user. For more information, see Overview.
- Run the
getenforce
command to check the status of SELinux.
If the return value is enforcing
, SELinux is enabled.
- Disable SELinux temporarily or permanently.
- Run the
setenforce 0
command to disable SELinux temporarily.
- Disable SELinux permanently.
- Run the following command to edit the
config
file of SELinux:
vi /etc/selinux/config
- Find
SELINUX=enforcing
, press the I
key to enter the edit mode, and then modify the parameter to SELINUX=disabled
.
- Press the
Esc
key and run the :wq
command to save and close the file.
- Restart the ECS instance.
shutdown -r now
- Run the
getenforce
command to check the status of SELinux. If the return value is disabled
, SELinux is disabled.
What to do next
You can create a custom image from an ECS instance that has SELinux enabled. Then,
you can create more SELinux-enabled instances from this custom image.