View the status of SELinux and disable or enable SELinux - Elastic Compute Service

Security-enhanced Linux (SELinux) is a Linux kernel feature that provides a security policy-based protection mechanism for access control. In general, we recommend that you enable SELinux to limit the permissions of processes, thereby guarding against threats from malicious programs. However, SELinux's strict access control mechanism may prevent some trusted applications or services from starting normally. In development or debugging scenarios, you may temporarily disable SELinux.

Note

For more information about SELinux, see What is SELinux?

Enable SELinux

In this example, SELinux is enabled for an Elastic Compute Service (ECS) instance that runs CentOS 7.6 64-bit.

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Run the following command to check the status of SELinux.
```
sestatus
```
If disabled is returned for SELinux status, SELinux is disabled for the instance.
Run the following command on the instance to open the config file of SELinux.
```
sudo vi /etc/selinux/config
```
Find the line containing SELinux=disabled and press i on your keyboard to enter insert mode.
You can use one of the following configurations to enable SELinux:
- SELINUX=enforcing: All requests against the security policy of SELinux are denied.
- SELINUX=permissive: Requests against the security policy are not denied, but are recorded in logs.
Press the Esc key and run the :wq command to save and exit the file.
Important
After modifying the config file, you need to restart the instance for the change to take effect. However, if you restart the instance immediately, the system may fail to boot. Therefore, you need to create an.autorelabel file before the restart to prevent the issue.
Run the following command to create the .autorelabel file.
```
sudo touch /.autorelabel
```
Run the following command to restart the instance.
Note
After the instance is restarted, SELinux will automatically relabel all system files.
```
sudo shutdown -r now
```

Disable SELinux

Important

Disabling SELinux renders your system more vulnerable against attacks. Therefore, we recommend that you carefully evaluate the potential risks and make sure that there are other effective security measures protecting your system.

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Run the following command to check the status of SELinux.
```
sestatus
```
If enabled is returned for SELinux status, SELinux has been enabled for the instance.
Disable SELinux temporarily or permanently.
Temporarily disable SELinux
Run the following command to temporarily disable SELinux.
```
setenforce 0
```
Permanently disable SELinux
1. Run the following command to open the config file of SELinux:
```
sudo vi /etc/selinux/config
```
2. Find the SELinux=enforcing or SELINUX=permissive configuration, press i on your keyboard to enter insert mode, and then change the configuration to SELINUX=disabled.
3. Press the Esc key and run the :wq command to save and exit the file.
4. Run the following command to restart the instance.
```
sudo shutdown -r now
```
5. Run the following command to check the status of SELinux.
```
sestatus
```
  If disabled is returned for SELinux status, SELinux has been permanently disabled.

References

You can create a custom image from an ECS instance that has SELinux enabled. Then, you can create more instances with SELinux enabled from this custom image.

Enable SELinux

Disable SELinux

Temporarily disable SELinux

Permanently disable SELinux

References