SELinux Modes

SELinux runs in one of three modes (or states).



This is the default state that enforces SELinux security policy. Access is denied to users and programs unless permitted by SELinux security policy rules. All denial messages are logged as AVC (Access Vector Cache) Denials.


This is a diagnostic state. The security policy rules are not enforced, but SELinux sends denial messages to a log file. This allows you to see what would have been denied if SELinux were running in enforcing mode.


SELinux does not enforce a security policy because no policy is loaded in the kernel. Only DAC rules are used for access control.


Setting SELinux Modes


There are multiple ways of setting the SELinux mode. One way is to select the mode from the Status view in the SELinux GUI. You can also edit the main configuration file for SELinux, /etc/selinux/config. Set the mode by changing the SELINUX directive in this file. For example, to set the mode to enforcing:

# vim /etc/selinux/config


The setenforce command is used to change between enforcing and permissive modes. Changes made with this command do not persist across reboots. To change to enforcing mode:

# setenforce 1


To change to permissive mode:

# setenforce 0


Display SELinux Mode


Use the getenforce command to view the current SELinux mode:

# getenforce 


Was this answer helpful? 0 Users Found This Useful (0 Votes)