How to Disable SELinux on Rocky Linux (10, 9, 8)

Last updated on January 15, 2026 12:22 pm by Joshua James
Estimated reading time: 7 minutes
SELinux logo crossed out next to Rocky Linux logo on blue-green gradient background

Security-Enhanced Linux (SELinux) provides mandatory access control that protects Rocky Linux systems from unauthorized access and privilege escalation. While SELinux significantly strengthens security, you may need to disable it temporarily when troubleshooting application compatibility issues, testing custom software that conflicts with security policies, or working in development environments where strict access controls interfere with rapid iteration. Common scenarios include debugging containerized applications that fail under enforcing mode, testing legacy applications without SELinux-aware packaging, or isolating whether SELinux policies cause service startup failures.

This guide walks through temporarily disabling SELinux for troubleshooting sessions and permanently disabling it when necessary, then covers the complete re-enable process including the critical filesystem relabeling step. By the end, you will understand the three operational modes, know how to switch between them safely, and recognize when full kernel-level disablement via grubby is required on Rocky Linux 9 and 10.

These instructions apply to Rocky Linux 10, 9, and 8. The commands work identically across all three versions, though Rocky Linux 9 and 10 include additional notes about kernel-level SELinux disablement in the configuration file comments.

Contents hide
1 SELinux Mode Overview
2 Check Current SELinux Status
3 Temporarily Disable SELinux
4 Permanently Disable SELinux
5 Re-Enable SELinux
6 Troubleshoot Common Issues
7 Closing Thoughts

SELinux Mode Overview

SELinux operates in three distinct modes that control how security policies are applied. Understanding these modes helps you choose the right approach for troubleshooting or development work.

Enforcing Mode

  • SELinux actively enforces all security policies
  • Denies any operation that violates security policies
  • Logs all policy violations to /var/log/audit/audit.log
  • Production systems requiring maximum security should use this mode

Permissive Mode

  • SELinux identifies and logs policy violations but does not block them
  • Allows you to test policy changes without disrupting services
  • Useful for troubleshooting whether SELinux causes application failures
  • Resets to enforcing mode after system reboot unless permanently configured

Disabled Mode

  • SELinux security module is completely inactive
  • No policy enforcement or logging occurs
  • Removes the additional security layer SELinux provides
  • Requires filesystem relabeling when re-enabling to restore security contexts

Check Current SELinux Status

Before making changes, verify your current SELinux configuration. The sestatus command displays comprehensive status information including the current mode and policy type:

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

The output confirms SELinux is enabled and running in enforcing mode with the targeted policy. The “Mode from config file” line shows what mode SELinux will use after the next reboot.

On minimal Rocky Linux installations or containers, the setenforce and sestatus commands may be missing. Install the utilities package if needed: sudo dnf install policycoreutils -y. Standard Rocky Linux Workstation and Server editions include these tools by default.

Temporarily Disable SELinux

Switching to permissive mode disables enforcement without requiring a reboot, making it ideal for troubleshooting. This change persists only until the next reboot, after which SELinux returns to its configured mode.

sudo setenforce 0

Verify the mode changed successfully:

getenforce
Permissive

The output confirms SELinux switched to permissive mode. SELinux logs policy violations to /var/log/audit/audit.log but does not block them, allowing you to identify whether SELinux caused the issue you are troubleshooting.

To restore enforcing mode without rebooting:

sudo setenforce 1

Permanently Disable SELinux

Permanent disablement requires modifying the SELinux configuration file. This change prevents SELinux from loading its policy at boot time.

Open the configuration file using your preferred text editor:

sudo nano /etc/selinux/config

Find the line SELINUX=enforcing and change it to:

SELINUX=disabled

Save the changes (Ctrl+O, Enter) and exit (Ctrl+X).

For complete kernel-level disabling, use grubby to add selinux=0 to the boot parameters: sudo grubby --update-kernel ALL --args selinux=0. This ensures SELinux never initializes during boot. To revert, run: sudo grubby --update-kernel ALL --remove-args selinux. The configuration file method is sufficient for most use cases.

Reboot the system to apply the configuration change:

sudo reboot

Verify SELinux is fully disabled:

sestatus
SELinux status:                 disabled

The output confirms SELinux is completely disabled. The system loads no policies and enforces no mandatory access controls until you re-enable SELinux.

Re-Enable SELinux

Reactivating SELinux requires modifying the configuration and triggering a filesystem relabel. Skipping the relabel step can cause boot failures or severe permission errors because files created while SELinux was disabled lack proper security contexts.

Open the configuration file:

sudo nano /etc/selinux/config

Change the line back to SELINUX=enforcing (or permissive if you prefer logging without enforcement initially).

Create the autorelabel file to force the system to relabel the filesystem on the next boot:

sudo touch /.autorelabel

If you previously used grubby to disable SELinux at the kernel level, remove that kernel argument:

sudo grubby --update-kernel ALL --remove-args selinux

Reboot the system:

sudo reboot

The boot process will take longer than usual as the system relabels all files. On systems with large filesystems or millions of files, this process can take 30 minutes or longer. Do not interrupt this process.

Verify SELinux is active:

sestatus
SELinux status:                 enabled
Current mode:                   enforcing

Troubleshoot Common Issues

Filesystem Relabeling Takes Extremely Long

The system assigns security context labels to every file during relabeling. The duration depends on filesystem size and storage speed.

You will see a boot message similar to:

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
***

Monitor progress by switching to a different virtual console (Ctrl+Alt+F2) and checking the journal:

sudo journalctl -f | grep -i selinux

Do not interrupt the relabeling process. If you cancel it, the system will remain in an inconsistent state that requires a forced relabel on the next boot by recreating the /.autorelabel file.

System Fails to Boot After Configuration Change

If you encounter boot failures after modifying /etc/selinux/config, the configuration file may contain syntax errors or an invalid mode value.

Boot into rescue mode by selecting the rescue kernel from the GRUB menu, then check the configuration file:

grep SELINUX= /etc/selinux/config

Valid values are enforcing, permissive, or disabled. Correct any typos and reboot. If the file is severely corrupted, recreate it with the default content:

sudo tee /etc/selinux/config <<EOF
SELINUX=enforcing
SELINUXTYPE=targeted
EOF

Application Still Blocked After Switching to Permissive Mode

If an application continues failing after switching to permissive mode, the issue is not SELinux-related. Verify the current mode is actually permissive:

getenforce
Permissive

Check the application’s logs and system journal for the actual error:

sudo journalctl -xe

Common non-SELinux causes include firewall rules blocking network connections, incorrect file permissions, missing dependencies, or configuration errors. For network services, verify firewall rules allow the required ports. See our guide on installing and configuring SSH on Rocky Linux.

Denied Operations Still Appearing in Audit Log After Disable

Setting SELINUX=disabled in the configuration file does not take effect until you reboot. Until then, SELinux continues running. Check the actual status:

sestatus

If the output shows Current mode: enforcing or permissive, the configuration change has not taken effect yet. Reboot the system to apply the configuration file changes. If you need immediate disablement without rebooting, use sudo setenforce 0 to switch to permissive mode temporarily.

Closing Thoughts

You now understand how to switch SELinux between enforcing, permissive, and disabled modes depending on your troubleshooting or development needs. The temporary setenforce method provides quick testing without persistence, while the configuration file approach creates permanent changes. When re-enabling SELinux after disablement, the /.autorelabel file triggers the critical filesystem relabeling that restores security contexts and prevents boot failures. For systems where SELinux remains disabled during extended troubleshooting, compensate with properly configured firewall rules and intrusion prevention tools. See our guides on enabling SSH on Rocky Linux and setting up Fail2Ban on Rocky Linux for additional security layers.

How to Install Fail2ban on Rocky Linux (10, 9, 8)

Leave a Comment

Let us know you are human:


If you have any legitimate inquiries, such as article suggestions, don't hesitate to contact LinuxCapable. Please ensure that your message is written in English.

Contact Us
About Us Disclaimer Privacy Policy Terms and Conditions