Rocky Linux

How to Disable SELinux on Rocky Linux 10, 9 and 8

Last updated Wednesday, May 20, 2026 12:22 pm Joshua James 6 min read
SELinux logo crossed out next to Rocky Linux logo on blue-green gradient background

Permanently disabling SELinux on Rocky Linux removes mandatory access control from every local service, so treat it as a last resort rather than a normal fix. For most troubleshooting, switch to permissive mode first: it stops enforcement immediately, keeps SELinux denial logging active, and lets you confirm whether policy is really blocking the application.

Use the permanent path only when a lab system, legacy workload, or performance-sensitive case has a documented reason to run without SELinux. Rocky Linux 9 and 10 need the selinux=0 kernel argument for full kernel-level disablement; setting only SELINUX=disabled in /etc/selinux/config no longer removes SELinux hooks the way Rocky Linux 8 does.

These steps cover Rocky Linux 10, 9, and 8. Rocky Linux 9 and 10 include the kernel-argument warning directly in /etc/selinux/config, while Rocky Linux 8 still accepts the older configuration-file disable path.

Disable SELinux on Rocky Linux: Choose a Method

Start by choosing the smallest change that answers your troubleshooting question. Permissive mode is temporary and reversible without a reboot, while disabled mode removes SELinux policy loading and requires a reboot plus careful re-enable planning.

ModeWhat changesBest use
EnforcingSELinux enforces policy and logs denials.Normal Rocky Linux server and workstation operation.
PermissiveSELinux logs denials but does not block them. sudo setenforce 0 changes the live mode until reboot.Short troubleshooting sessions where you need to prove whether SELinux is the blocker.
DisabledSELinux policy is not loaded after reboot. Rocky Linux 9 and 10 require selinux=0 on the kernel command line for full disablement.Specific lab, legacy, or risk-accepted cases where permissive mode is not enough.

Red Hat’s SELinux state documentation also recommends permissive mode for production debugging instead of permanent disablement. Rocky Linux follows the same RHEL-family behavior for these core SELinux controls.

Check Current SELinux Status

Before changing SELinux, verify both the live mode and the configured boot mode. The sestatus command shows whether SELinux is enabled, which policy is loaded, and which mode the next boot will use.

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

The output confirms SELinux is enabled, running in enforcing mode, and using the targeted policy. The Mode from config file line shows what SELinux will try to use after the next reboot, unless a kernel argument such as selinux=0 overrides it.

On minimal images or containers, setenforce, getenforce, sestatus, or fixfiles may be missing. Install the SELinux utility package when needed with sudo dnf install policycoreutils. Standard Rocky Linux Server and Workstation installs normally include it.

Temporarily Disable SELinux with Permissive Mode

Permissive mode is the safest first test because it disables enforcement without disabling SELinux itself. The change takes effect immediately, keeps denial logging available, and lasts only until reboot unless you also change /etc/selinux/config.

sudo setenforce 0

Verify the mode changed successfully:

getenforce
Permissive

The output confirms SELinux switched to permissive mode. Reproduce the failing application action while permissive mode is active; if the application starts working, inspect the SELinux denial and fix the policy, label, boolean, or port rule before deciding to disable SELinux permanently.

Restore enforcing mode as soon as the test is finished:

sudo setenforce 1

Permanently Disable SELinux on Rocky Linux

Permanent disablement is a boot-time change. Keep a working local console or tested remote access path before rebooting, especially on servers where SELinux policy might be part of the current access stack.

Do not use permanent disablement as the normal answer to an application denial. If permissive mode proves SELinux is involved, prefer the specific repair first: restore the file context, add a narrow port mapping, adjust a boolean, or create a local policy module for the denied operation.

Open the SELinux configuration file:

sudo nano /etc/selinux/config

Change the SELINUX= line to disabled so the file documents the intended boot state:

SELINUX=disabled

Save the changes (Ctrl+O, Enter) and exit (Ctrl+X).

Add the SELinux Kernel Argument

Rocky Linux 9 and 10 require the selinux=0 kernel argument for full kernel-level disablement. Rocky Linux 8 can still disable SELinux through /etc/selinux/config, but using the kernel argument gives one consistent workflow across all supported Rocky releases.

sudo grubby --update-kernel ALL --args selinux=0

Reboot to apply the bootloader and configuration changes:

sudo reboot

After the system returns, verify the effective mode first:

getenforce
Disabled

You can also confirm the detailed SELinux status:

sestatus
SELinux status:                 disabled

If getenforce does not return Disabled, the system did not boot with full SELinux disablement. On Rocky Linux 9 and 10, check that the active boot entry includes selinux=0 before assuming SELINUX=disabled was enough.

Re-Enable SELinux Safely

Re-enable SELinux in permissive mode first, relabel the filesystem, then return to enforcing mode after you have checked for AVC denials. Jumping straight from disabled to enforcing can break boot or service startup because files created while SELinux was disabled may have missing or incorrect contexts.

Open the configuration file:

sudo nano /etc/selinux/config

Set SELinux to permissive for the first boot after re-enabling:

SELINUX=permissive
SELINUXTYPE=targeted

If you used selinux=0 to disable SELinux, remove that full-disable argument. Add enforcing=0 so the system boots permissive even if the config file is later changed too early.

sudo grubby --update-kernel ALL --remove-args selinux
sudo grubby --update-kernel ALL --args enforcing=0

Reboot into permissive mode first:

sudo reboot

After the system returns, verify SELinux is in permissive mode:

getenforce
Permissive

Run the affected applications, then check for SELinux denials from the current day. Resolve important denials before enforcing policy again.

sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today

A <no matches> result means the audit log has no matching SELinux denials for that time window. If AVC records appear, fix those labels, booleans, ports, or local policy issues before moving back to enforcing mode.

Mark the filesystem for a forced SELinux relabel on the next boot:

sudo fixfiles -F onboot

Only run fixfiles -F onboot after the system is configured to boot permissive. Relabeling directly into enforcing mode can break boot or service startup when important files are still unlabeled.

Reboot again and let Rocky Linux relabel the filesystem:

sudo reboot

The boot process can take much longer than usual while Rocky Linux relabels filesystems. Large servers or systems with millions of files can take 30 minutes or longer. Do not interrupt the relabel.

After the relabel boot completes, verify permissive mode again and repeat the denial check if the system runs custom services:

getenforce
Permissive

When the system runs cleanly in permissive mode, open the configuration file and set SELinux back to enforcing:

sudo nano /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

Remove the temporary enforcing=0 kernel argument, reboot, and verify enforcing mode:

sudo grubby --update-kernel ALL --remove-args enforcing
sudo reboot
getenforce
Enforcing

Troubleshoot Common Issues

Filesystem Relabeling Takes Extremely Long

The system assigns security context labels to every file during relabeling. The duration depends on filesystem size, file count, and storage speed.

The boot console may warn that the targeted SELinux policy relabel is required and that relabeling can take a long time. That message is expected during a forced relabel.

After the system finishes booting, review the relabel unit in the current boot journal:

sudo journalctl -b -u selinux-autorelabel.service --no-pager

Do not interrupt the relabeling process. If it is canceled, the system can remain in an inconsistent state and need another forced relabel with sudo fixfiles -F onboot before the next boot.

System Fails to Boot After Configuration Change

If boot fails after modifying /etc/selinux/config, the file may contain a syntax error, an invalid mode value, or an enforcing first boot before relabeling completed.

Boot into rescue mode from the GRUB menu, then check the configuration file:

grep SELINUX= /etc/selinux/config

Valid values are enforcing, permissive, or disabled. For recovery, use permissive first so the next boot can complete while SELinux logs denials. If the file is severely corrupted, recreate a minimal targeted-policy configuration:

sudo tee /etc/selinux/config > /dev/null <<'EOF'
SELINUX=permissive
SELINUXTYPE=targeted
EOF

Application Still Blocked After Switching to Permissive Mode

If an application continues failing after switching to permissive mode, SELinux is probably not the component blocking that action. Verify the current mode is actually permissive before moving to other causes:

getenforce
Permissive

Check the application’s logs and system journal for the actual error:

sudo journalctl -xe

Common non-SELinux causes include firewall rules blocking network connections, incorrect file permissions, missing dependencies, or application configuration errors. For SSH access problems, the Rocky Linux SSH setup guide covers service checks, firewalld rules, and SELinux custom-port handling.

SELinux Still Shows Enabled After Reboot

Setting SELINUX=disabled in the configuration file does not take effect until reboot, and Rocky Linux 9 or 10 still needs the selinux=0 kernel argument for full disablement. Check the effective status first:

sestatus

If the output still shows Current mode: enforcing or permissive, inspect the active boot entry for the kernel argument:

sudo grubby --info=DEFAULT | grep -E '^args='

When selinux=0 is missing on Rocky Linux 9 or 10, add it with sudo grubby --update-kernel ALL --args selinux=0 and reboot again. If you only need immediate troubleshooting without rebooting, use sudo setenforce 0 to switch to permissive mode temporarily.

Conclusion

Rocky Linux now has a clear SELinux path: enforcing for normal operation, permissive for focused troubleshooting, or disabled only when the boot argument and re-enable plan are documented. After a relabel, watch service logs before returning critical workloads to production, and add Fail2Ban on Rocky Linux for exposed SSH services as an extra layer rather than a SELinux replacement.

Follow LinuxCapable

Want more LinuxCapable guides in Google?

Add LinuxCapable as a preferred source so Google can show more of our fresh Linux tutorials in Top Stories and From your sources when relevant.

Add LinuxCapable as a preferred source on Google
Search LinuxCapable

Need another guide?

Search LinuxCapable for package installs, commands, troubleshooting, and follow-up guides related to what you just read.

Found this guide useful?

Support LinuxCapable to keep tutorials free and up to date.

Buy me a coffeeBuy me a coffee
Before commenting, please review our Comments Policy.
Formatting tips for your comment

You can use basic HTML to format your comment. Useful tags currently allowed in published comments:

You type Result
<code>command</code> command
<strong>bold</strong> bold
<em>italic</em> italic
<blockquote>quote</blockquote> quote block

Got a Question or Feedback?

We read and reply to every comment - let us know how we can help or improve this guide.

Let us know you are human: