What are SELinux Modes and how to set them?

SELinux Modes

SELinux runs in one of three modes (or states).

 

Enforcing

This is the default state that enforces SELinux security policy. Access is denied to users and programs unless permitted by SELinux security policy rules. All denial messages are logged as AVC (Access Vector Cache) Denials.

Permissive

This is a diagnostic state. The security policy rules are not enforced, but SELinux sends denial messages to a log file. This allows you to see what would have been denied if SELinux were running in enforcing mode.

Disabled

SELinux does not enforce a security policy because no policy is loaded in the kernel. Only DAC rules are used for access control.

 

Setting SELinux Modes

 

There are multiple ways of setting the SELinux mode. One way is to select the mode from the Status view in the SELinux GUI. You can also edit the main configuration file for SELinux, /etc/selinux/config. Set the mode by changing the SELINUX directive in this file. For example, to set the mode to enforcing:

# vim /etc/selinux/config
SELINUX=enforcing

 

The setenforce command is used to change between enforcing and permissive modes. Changes made with this command do not persist across reboots. To change to enforcing mode:

# setenforce 1

 

To change to permissive mode:

# setenforce 0

 

Display SELinux Mode

 

Use the getenforce command to view the current SELinux mode:

# getenforce 
Enforcing

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)