Join the community today
Become a Member

EL8/EL9 SELinux disable handling

Discussion in 'AlmaLinux 8 & Rocky Linux 8 Beta Testing' started by eva2000, Apr 25, 2023.

  1. eva2000

    eva2000 Administrator Staff Member

    52,159
    11,995
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,498
    Local Time:
    6:06 PM
    Nginx 1.25.x
    MariaDB 10.x
    I just updated the EL8 installers to change the method of SELinux disabling for AlmaLinux/Rocky Linux 8. With EL9 for AlmaLinux/Rocky Linux 9, they deprecated the old run time disabling of SELinux, so the only way to disable SELinux is by adding selinux=0 to Kernel GRUB_CMDLINE_LINUX line in /etc/default/grub and rebuilding grub.cfg and rebooting server.

    Initially, I set up installers to do that just for EL9 installs - keeping EL8 installs to keep old run time method of disabling SELinux. But seems Linux Kernel 6.4 will also deprecate SELinux runtime disabling methods as well. So the same situation can occur if you use EL8 operating system and one day decide to upgrade to Linux Kernel 6.4. So might as well sort this out now and update the EL8 installers to apply the same method as EL9 routine now :)

    From DEPRECATE runtime disable
    So starting from today, any EL8 beta installions that detect that SELinux is still enabled on AlmaLinux 8 or Rocky Linux 8, will be greeted with similar messages below.

    If you have a non-EFI setup for /boot/grub2/grub.cfg, you'll see:
    Code (Text):
    Detected SELinux NOT disabled for EL8
    Adding selinux=0 to Kernel GRUB_CMDLINE_LINUX line in /etc/default/grub
    GRUB_CMDLINE_LINUX="rd.auto nomodeset console=tty0 selinux=0"
    Regenerating GRUB2 configuration
    installing grub2-tools
    grub2-mkconfig -o /boot/grub2/grub.cfg
    Added selinux=0 to Kernel GRUB_CMDLINE_LINUX line in /etc/default/grub to disable SELinux
    This is the right way to disable SELinux in future as other run-time methods deprecated
    If you intend to use own custom Linux Kernels i.e. ELRepo, ensure you have selinux=0 set
    Please reboot system to disable SELinux then install Centmin Mod
    

    If you have a EFI setup for /boot/efi/EFI/almalinux/grub.cfg, you'll see:
    Code (Text):
    Detected SELinux NOT disabled for EL8
    Adding selinux=0 to Kernel GRUB_CMDLINE_LINUX line in /etc/default/grub
    GRUB_CMDLINE_LINUX="rd.auto nomodeset console=tty0 selinux=0"
    Regenerating GRUB2 configuration
    installing grub2-tools
    grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg
    Added selinux=0 to Kernel GRUB_CMDLINE_LINUX line in /etc/default/grub to disable SELinux
    This is the right way to disable SELinux in future as other run-time methods deprecated
    If you intend to use own custom Linux Kernels i.e. ELRepo, ensure you have selinux=0 set
    Please reboot system to disable SELinux then install Centmin Mod
    

    If you use Rocky Linu with EFI, it will be at /boot/efi/EFI/rocky/grub.cfg