SELinux (Security-Enhanced Linux) is a mandatory access control system built into the Linux kernel. It enforces security policies that restrict what processes can access – files, network ports, other processes – based on predefined rules. On Rocky Linux 10, AlmaLinux 10, and RHEL 10, SELinux runs in enforcing mode by default.
This guide covers how to check SELinux status, switch to permissive mode for troubleshooting, disable SELinux completely through the config file or kernel boot parameters, and re-enable it after disabling. We strongly recommend permissive mode over a full disable in most cases.
When to Disable SELinux on Rocky Linux 10 / AlmaLinux 10
The short answer: almost never in production. SELinux is a critical security layer that protects your system even when applications have vulnerabilities. Disabling it removes all mandatory access control enforcement, leaving your system reliant solely on traditional Unix permissions.
That said, there are valid reasons to temporarily disable SELinux:
- Development and testing environments – where security policies get in the way of rapid iteration
- Troubleshooting – to confirm whether SELinux is blocking a specific application or service
- Legacy software – older applications that cannot run under SELinux policies and have no available policy modules
- Quick lab setups – disposable VMs where security hardening is not a priority
Before disabling SELinux completely, try permissive mode first. Permissive mode logs all policy violations without blocking anything – this lets you identify exactly what SELinux is denying so you can write targeted policy rules instead of turning off the entire framework. Check our guide on how to troubleshoot SELinux on Rocky Linux 10 / AlmaLinux 10 for details on reading and resolving audit denials.
Prerequisites
- A server running Rocky Linux 10, AlmaLinux 10, or RHEL 10
- Root or sudo access
- Access to reboot the server (required for persistent changes)
Step 1: Check Current SELinux Status
Before making any changes, check the current SELinux mode. The quickest way is with the getenforce command.
getenforceThis returns a single word showing the current mode – Enforcing, Permissive, or Disabled:
EnforcingFor more detailed information, use the sestatus command.
sestatusThe output shows the SELinux status, loaded policy, current runtime mode, and the mode configured in the config file:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33Pay attention to two lines: Current mode shows the runtime mode, while Mode from config file shows what mode will be applied after the next reboot. These can differ if you have changed the runtime mode without editing the config file.
Step 2: Set SELinux to Permissive Mode (Recommended Alternative)
Permissive mode is the recommended alternative to disabling SELinux entirely. In permissive mode, SELinux logs all policy violations to the audit log (/var/log/audit/audit.log) but does not block any actions. This gives you the same functional result as disabling SELinux while preserving the audit trail you need to fix the actual problem.
Temporary Permissive Mode (Until Reboot)
To switch to permissive mode immediately without editing any files, run the following command.
sudo setenforce 0Verify the change took effect.
getenforceThe output should now show Permissive:
PermissiveThis change is temporary. The system will return to whatever mode is set in /etc/selinux/config after a reboot.
Persistent Permissive Mode (Survives Reboot)
To make permissive mode persistent, edit the SELinux configuration file.
sudo vi /etc/selinux/configFind the SELINUX= line and change it to permissive:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targetedAlternatively, use sed to make the change in one command.
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/configVerify the configuration file was updated correctly.
grep -v '^#' /etc/selinux/config | grep SELINUX=The output should show the updated value:
SELINUX=permissiveThe config file change takes effect after the next reboot. If you want permissive mode immediately, also run sudo setenforce 0 as shown in the previous section. If you are configuring firewalld on Rocky Linux 10, note that SELinux works alongside firewall rules – they are independent security layers.
Step 3: Disable SELinux Completely
If permissive mode does not meet your needs, you can disable SELinux entirely. Be aware that disabling SELinux in production removes a critical security layer and is not recommended by Red Hat. Once disabled, SELinux stops loading any policy and no access control decisions are made.
Edit the SELinux configuration file.
sudo vi /etc/selinux/configChange the SELINUX= line to disabled:
SELINUX=disabledOr use sed to make the change from the command line.
sudo sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/configVerify the change was written correctly.
grep -v '^#' /etc/selinux/config | grep SELINUX=The output confirms SELinux is set to disabled:
SELINUX=disabledA reboot is required for the change to take full effect. The kernel needs to start without loading the SELinux policy.
sudo rebootAfter the system comes back up, verify SELinux is disabled.
sestatusThe output should confirm SELinux is fully disabled:
SELinux status: disabledYou can also confirm with getenforce, which should return Disabled.
Step 4: Disable SELinux via Kernel Boot Parameter
An alternative way to disable SELinux is through the kernel boot parameter. This method tells the kernel to skip SELinux initialization entirely, and it survives even if someone changes /etc/selinux/config back to enforcing. This is useful in situations where the config file gets overwritten by package updates or automation tools.
Use the grubby tool to add the selinux=0 parameter to all kernel entries.
sudo grubby --update-kernel ALL --args selinux=0Verify the parameter was added to the default kernel entry.
sudo grubby --info DEFAULTLook for selinux=0 in the args line of the output:
index=0
kernel="/boot/vmlinuz-6.12.0-55.el10.x86_64"
args="ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rl-swap rd.lvm.lv=rl/root rd.lvm.lv=rl/swap selinux=0"
root="/dev/mapper/rl-root"
initrd="/boot/initramfs-6.12.0-55.el10.x86_64.img"
title="Rocky Linux (6.12.0-55.el10.x86_64) 10.0"
id="abc123..."Reboot for the kernel parameter to take effect.
sudo rebootAfter reboot, confirm SELinux is disabled with getenforce or sestatus. To remove this parameter later and re-enable SELinux, see the re-enabling section below. For additional server hardening measures, consider setting up Fail2ban on Rocky Linux 10 to protect against brute force attacks.
Re-enable SELinux After Disabling
If you disabled SELinux and want to turn it back on, the process requires a filesystem relabel. When SELinux is disabled, new files are created without security context labels. Re-enabling SELinux requires all files to be relabeled before the policy can be enforced correctly.
Remove the Kernel Boot Parameter (If Used)
If you disabled SELinux via the kernel parameter, remove it first.
sudo grubby --update-kernel ALL --remove-args selinuxUpdate the Configuration File
Set SELinux back to enforcing (or permissive if you want to test first) in the config file.
sudo sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/configForce Filesystem Relabel on Next Boot
Create the /.autorelabel file to trigger a full filesystem relabel on the next boot.
sudo touch /.autorelabelNow reboot the system.
sudo rebootThe relabeling process runs automatically during boot. On large filesystems with millions of files, this can take a significant amount of time – anywhere from a few minutes to over an hour depending on disk speed and file count. The system will reboot one more time after relabeling completes. Do not interrupt this process.
After the system is fully back up, verify SELinux is enforcing again.
getenforceThe output should confirm SELinux is back in enforcing mode:
EnforcingIf you want to ease back into SELinux, consider setting it to permissive first, running your workloads for a few days, and reviewing the audit log for any denials before switching to enforcing. The Red Hat SELinux documentation covers policy customization in detail.
SELinux Modes Reference Table
The following table summarizes the three SELinux modes and their behavior. Understanding these modes helps you choose the right one for your situation. When managing SELinux for web applications like WordPress, permissive mode is a good starting point for identifying required policy changes.
| Mode | Policy Enforced | Description |
|---|---|---|
| Enforcing | Yes | SELinux policy is fully enforced. Access violations are blocked and logged to the audit log. This is the default mode on RHEL-based systems and the recommended setting for production servers. |
| Permissive | No (logged only) | SELinux policy is loaded but not enforced. Violations are logged but not blocked. Best for troubleshooting SELinux denials and developing custom policies without breaking applications. |
| Disabled | No | SELinux is completely turned off. No policy is loaded, no access decisions are made, and no violations are logged. Re-enabling requires a full filesystem relabel. |
Conclusion
We covered how to check SELinux status, switch to permissive mode, disable SELinux through the config file and kernel boot parameters, and re-enable it with a full filesystem relabel on Rocky Linux 10, AlmaLinux 10, and RHEL 10. In almost every case, permissive mode is the better choice over a full disable – it gives you the same functional result while keeping the audit trail you need to fix the root cause. If you must disable SELinux in production, make sure you have other security measures in place such as properly configured firewall rules and intrusion detection.
