How to use setenforce command to change SELinux modes

SELinux Modes

SELinux can either be in an enabled or a disabled state. In order to check in which state it is running, we can make use of the getenforce command. There are two modes in which SELinux runs:

  • Enforcing: This is the enabled state where all rules are applied
  • Permissive: In this state, SELinux will not deny any access; however, denials are logged

We can change the SELinux modes from enforcing to permissive and vice versa during runtime by using the setenforce command. Before and after changing the SELinux mode, we must ensure the current mode by using the getenforce command.

View current SELinux mode

To view the current SELinux mode set on the system, use the below command:

# getenforce
Enforcing

Changing SELinux mode online

It’s possible to switch between the enforcing and permissive mode using the setenforce command. Use setenforce 0 to switch to the permissive mode and setenforce 1 to go back to the enforcing mode.

Let’s temporarily place the system into permissive mode:

# setenforce 0

# getenforce
Permissive

Now, these changes are temporary until we reboot the system. After a reboot, you’ll be back in enforcing mode. Also, note that a 0 after setenforce denotes that I’m setting permissive mode. To get back to enforcing mode simply use 1 instead of 0:

# setenforce 1

# getenforce
Enforcing

We’re now back in enforcing mode.

Changing SELinux modes permanently

In order to permanently change the SELinux mode to permissive in the above case, you’ll edit the file /etc/sysconfig/selinux. Here’s what it looks like by default:

# vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

The two important things you see here are that SELinux is in enforcing mode and that it’s using the targeted policy. To switch to permissive mode, just change the SELINUX= line, and save the file:


# vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

To view the SELinux mode after rebooting the system, use the “sestatus” command:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Conclusion

Another way to temporarily change the SELinux mode is by passing a parameter to the kernel at boot time. Passing a kernel argument of enforcing=0 will boot the system in permissive mode for that instance and selinux=1 will boot the system in enforcing mode.

Related Posts

Latest Posts

  • How to Create Index Partitions To Ranged Partitioned Table
  • How to Move Partition Online in Oracle 12c
  • How to add or modify Printer settings in CentOS/RHEL using GUI
  • What is machine-id in Linux