Security-enhanced Linux (SELinux) is a Linux kernel feature that provides a security policy-based protection mechanism for access control. In general, we recommend that you enable SELinux to limit the permissions of processes, thereby guarding against threats from malicious programs. However, SELinux's strict access control mechanism may prevent some trusted applications or services from starting normally. In development or debugging scenarios, you may temporarily disable SELinux.
For more information about SELinux, see What is SELinux?
Enable SELinux
In this example, SELinux is enabled for an Elastic Compute Service (ECS) instance that runs CentOS 7.6 64-bit.
Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Run the following command to check the status of SELinux.
sestatus
If
disabled
is returned forSELinux status
, SELinux is disabled for the instance.Run the following command on the instance to open the
config
file of SELinux.sudo vi /etc/selinux/config
Find the line containing
SELinux=disabled
and pressi
on your keyboard to enter insert mode.You can use one of the following configurations to enable SELinux:
SELINUX=enforcing
: All requests against the security policy of SELinux are denied.SELINUX=permissive
: Requests against the security policy are not denied, but are recorded in logs.
Press the
Esc
key and run the:wq
command to save and exit the file.ImportantAfter modifying the
config
file, you need to restart the instance for the change to take effect. However, if you restart the instance immediately, the system may fail to boot. Therefore, you need to create an.autorelabel
file before the restart to prevent the issue.Run the following command to create the
.autorelabel
file.sudo touch /.autorelabel
Run the following command to restart the instance.
NoteAfter the instance is restarted, SELinux will automatically relabel all system files.
sudo shutdown -r now
Disable SELinux
Disabling SELinux renders your system more vulnerable against attacks. Therefore, we recommend that you carefully evaluate the potential risks and make sure that there are other effective security measures protecting your system.
Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Run the following command to check the status of SELinux.
sestatus
If
enabled
is returned forSELinux status
, SELinux has been enabled for the instance.Disable SELinux temporarily or permanently.
Temporarily disable SELinux
Run the following command to temporarily disable SELinux.
setenforce 0
Permanently disable SELinux
Run the following command to open the
config
file of SELinux:sudo vi /etc/selinux/config
Find the
SELinux=enforcing
orSELINUX=permissive
configuration, pressi
on your keyboard to enter insert mode, and then change the configuration toSELINUX=disabled
.Press the
Esc
key and run the:wq
command to save and exit the file.Run the following command to restart the instance.
sudo shutdown -r now
Run the following command to check the status of SELinux.
sestatus
If
disabled
is returned forSELinux status
, SELinux has been permanently disabled.
References
You can create a custom image from an ECS instance that has SELinux enabled. Then, you can create more instances with SELinux enabled from this custom image.