SELinux comes with three different types of operational modes which all can by set temporarily using tool setenforce or directly by editing SELinux configuration file.

  • enforcing
  • permissive
  • disabled

SELinux in disabled operational mode does not enforce any security rules or policies as it is simply disable and security checks are done only by traditional Discretionary Access Controls. Permissive mode allows for testing new deployments as in effect it simply behaves like disabled operational mode, however it logs any potentially denied access to a relevant log files thus allowing further testing and troubleshooting before the operational mode is switched to enforcing. Lastly, in the enforcing mode all security policy rules are enforced. To change SELinux operaitonal mode from enforcing to permissive and vice versa use setenforce command. Check current operational mode status:

# getenforce 
Permissive

Toggle from permissive to enforcing:

# setenforce 1
# getenforce 
Enforcing

Note, that setenforce mode only accepts Boolean type 0 or 1 and is capable to change only between permissive or enforcing operation mode. To change SELinux operational mode to disabled, the SELinux /etc/selinux/config configuration file needs to be amended by setting SELINUX directive to disabled

SELINUX=disabled

To allow this change to take effect system reboot is required.



Go to top