How to Disable SELinux on Fedora 26

This post describes what SELinux is and how you can disable it on Fedora 26 if you need to.

What is SELinux?

SELinux stands for Security Enhanced Linux and it is an additional layer of security on your computer.

At a basic level, it runs in the kernel and acts to determine what programs are allowed to access on the computer. For example a webserver may be set up so that it is only allowed to access port 80 by default. This then provides security as programs that are not typically meant to be accessing specific ports/programs/files are forbidden from doing so.

SELinux provides a large number of defaults for programs, ports and files to prevent this unauthorized access. These defaults are configured by the operating system and are a set of rules which can be turned on and off. In some cases these rules may need to be configured to allow a program to run unhindered by a SELinux policy.

Since the defaults will work for the majority of users they will typically not need to be changed. On a desktop computer these checks should not impact the performance.

To see if SELinux is running you can use the sestatus command

[chewett@endor-fedora26-vm ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

Here I have run it on my Fedora 26 installation and it is reporting that it is enabled and therefore active.

Why would I want to disable it?

If you are setting up a new service or program SELinux might limit its access to something it needs. If this is the case SELinux may need to be tweaked to allow your program to run.

Typical error messages may be that the program cannot access files it needs. This might occur if SELinux has forbidden access to the files your program is trying to access.

If SELinux has blocked access to a program it will be noted in either /var/log/audit/audit.log or /var/log/messages. These block lines will include the string avc: denied.

An example of a block message taken from the SELinux Fedora FAQ’s is:

type=AVC msg=audit(1214965667.121:635): avc: denied { unix_read unix_write } for pid=15524 comm="npviewer.bin" 
key=59918130 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s

Here npviewer.bin has been blocked by SELinux. From here you can go and search for the issue and find a solution, unblocking it if necessary.

How to Disable SELinux on Fedora 26

If you are really sure that you want to turn off SELinux completely this can be done as described below.

Please note that, in almost all cases, it is better to find out what rule is preventing what you are trying to do from working. Once this has been found you can disable the rules that are causing the issue. This is a better idea than disabling SELinux completely. This is because the SELinux rules that you have not disabled would still be protecting you.

The SELinux config file is located in /etc/selinux/config and to disable it the SELINUX config setting needs to be set to disabled.

SELINUX=disabled

Once this is done the system needs a full reboot to apply the setting. This is because it is a kernel level option and the kernel must be fully restarted.

Once this has been done SELinux has been fully disabled on the system. I can now see this by running sestatus again.

[chewett@endor-fedora26-vm ~]$ sestatus
SELinux status: disabled

Now I can see that SELinux has been fully disabled on the system.