How to check whether SELinux is enabled or not?

Security-Enhanced Linux (SELinux) brings additional security measures to your Linux system to further protect its resources. As part of the Linux kernel, it is a mandatory access control system supported by major Linux distributions.

This is “How To” guide to show us, how one can check the status of SELinux whether it is enabled or not. If you would like to know more about SELinux like what is SELinux, why one should use SELinux, and how it works refer to the below post.

Following are three different ways to check the status of SELinux:

1. Use the getenforce command:

$ getenforce

2. Use the sestatus command:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted


# sestatus | grep mode
Current mode: permissive

2. Use the SELinux Configuration File i.e. /etc/selinux/config and grep for variable SELINUX.

$ grep ^SELINUX= /etc/selinux/config

The output of above commands return the SELinux Modes. SELinux can be in any of three possible modes:

  • If the state is disabled, then the SELinux code disables further support, booting the system further without activating SELinux.
  • If the state is permissive, then SELinux is active but will not enforce its policy on the system. Instead, any violation against the policy will be reported but remain allowed. This is sometimes called host intrusion detection as it works in a reporting-only mode.
  • If the state is enforcing, then SELinux is active and will enforce its policy on the system. Violations are reported and also denied. This is sometimes called host intrusion prevention, as it enforces the rules while logging the actions it takes.