[备忘]红帽系Linux禁用SELinux和FirewallD
While generally not recommended for production environments due to security implications, you can disable SELinux and Firewalld on Rocky Linux 9.5/9.6. This might be useful for specific troubleshooting scenarios or if you're implementing an alternative security solution.
Important Note: Disabling SELinux and Firewalld significantly reduces your system's security posture. Only do this if you understand the risks and have a clear reason to do so. For most situations, it's better to configure SELinux and Firewalld to allow necessary traffic and operations rather than disabling them entirely.
Disabling SELinux on Rocky Linux 9.x
SELinux can be temporarily disabled or permanently disabled.
1. Check SELinux Status:
Before making changes, check the current status of SELinux:
sestatus
You'll typically see "SELinux status: enabled" and "Current mode: enforcing" if it's active.
2. Temporarily Disable SELinux (until next reboot):
This is useful for quick testing as changes will revert after a reboot.
sudo setenforce 0
Or:
sudo setenforce permissive
"Permissive" mode means SELinux will log security denials but won't enforce them. This is often a good intermediate step for troubleshooting.
Verify the status again:
sestatus
It should now show "Current mode: permissive" or "Current mode: disabled".
3. Permanently Disable SELinux:
This change will persist across reboots.
* Edit the SELinux configuration file:
sudo nano /etc/selinux/config
* Find the line SELINUX=enforcing and change it to SELINUX=disabled:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
* Save and close the file. In nano, press Ctrl+X, then Y to confirm save, and Enter.
* Reboot the system for the changes to take effect:
sudo reboot
* After rebooting, verify SELinux is disabled:
sestatus
It should now show "SELinux status: disabled".
Disabling Firewalld on Rocky Linux 9.x
Firewalld is the default firewall management tool on Rocky Linux.
1. Check Firewalld Status:
sudo systemctl status firewalld
You'll see "Active: active (running)" if it's enabled.
2. Temporarily Stop Firewalld (until next reboot):
This stops the firewall immediately but it will start again after a reboot if enabled.
sudo systemctl stop firewalld
Verify it's stopped:
sudo systemctl status firewalld
It should show "Active: inactive (dead)".
3. Permanently Disable Firewalld:
This will stop Firewalld and prevent it from starting automatically at boot.
* Stop the Firewalld service:
sudo systemctl stop firewalld
* Disable Firewalld from starting on boot:
sudo systemctl disable firewalld
* Optional: Mask Firewalld (prevents other services from starting it):
This is an extra step to ensure Firewalld doesn't get started by other dependencies.
sudo systemctl mask --now firewalld
* Verify Firewalld is disabled:
sudo systemctl status firewalld
It should show "Active: inactive (dead)" and "Loaded: ... disabled ..."
Re-enabling SELinux and Firewalld (if needed):
* To re-enable SELinux:
Edit /etc/selinux/config and change SELINUX=disabled back to SELINUX=enforcing. Then, reboot your system. You might also need to run sudo touch /.autorelabel before rebooting to relabel the filesystem, especially if SELinux was disabled for a long time.
* To re-enable Firewalld:
sudo systemctl unmask firewalld # If you masked it
sudo systemctl enable firewalld
sudo systemctl start firewalld
Again, exercise caution when disabling these security features on any system, especially in production environments.