How to Disable SELinux in Ubuntu Server/Desktop

In this tutorial I will explain how to configure SELinux on Ubuntu Operating system. SELinux or Security Enhanced Linux is an additional layer of security services on top of the standard Linux DAC Mechanism and brings further protection to your Linux operating System By denying everything that has not been specifically allowed.

Security Enhanced Linux is an implementation of the Mandatory Access Control Mechanism of the Linux kernel. Mandatory Access Control is an additional layer of security added to top of the standard Discretionary Access Control (User/Group based permissions).

Even though it's has been added to provide additional security to the Linux operating system, most administrators prefer to disable SELinux because without proper configuration, some application will not run when SELinux is enabled.

So how do we disable SELinux on Ubuntu?

There is no need. SELinux is not installed by default in Ubuntu. Security Enhanced Linux is primarily used by the Red Hat based Linux distributions, that includes Red Hat Enterprise Linux, CentOS and Fedora.

Debian based distributions, including Ubuntu do not deliver SELinux by default, instead they use a system called AppArmor for Mandatory Access Control (AppArmor is disabled by default on Ubuntu).

Install SELinux on Ubuntu

The following steps describe how to install and configure SELinux on Ubuntu/Debian.

  1. Install selinux-policy-default and related packages:

    sudo apt-get update
    sudo apt-get install selinux-basics selinux-policy-default auditd
  2. Run the selinux-activate command:

    sudo selinux-activate
  3. Open the /etc/default/rcS file and set FSCKFIX=yes:

    FSCKFIX=yes
  4. Restart the computer (it will take a while to reboot):

    sudo systemctl reboot

After the system rebooted, run the check-selinux-installation command to make sure that the installation is successful.

Enable and Disable SELinux on Ubuntu

By default SELinux on Ubuntu run in permissive mode. To enable SELinux, Open the /etc/selinux/config file and set SELINUX=enforcing:

SELINUX=enforcing

Then, Save the config file and restart the computer:

sudo systemctl reboot

If you want to permanently disable SELinux, set SELINUX=disabled and restart the computer.

Disable SELinux in Ubuntu Server/Desktop

You need to restart your Ubuntu system every time you switch between enforcing and disabled modes permanently.

To view The SELinux status on Ubuntu, Type:

sestatus

To check current running mode, Type:

getenforce

Run setenforce command to switch between Enforcing and Permissive mode without having to restart the computer (Enforcing = 1, Permissive = 0).

setenforce 0

Summary

  • SELinux is a security enhancement for the Linux kernel, and is Originally developed by the National Security Agency's office of Information Assurance as an enhancement to Linux Security.
  • If you use CentOS, Fedora or RHEL, SELinux is enabled by default.
  • Apparmor is the default way of implementing Mandatory Access Control in Debian/Ubuntu based Linux distributions.