How to use setenforce command to change SELinux modes
SELinux Modes
SELinux can either be in an enabled or a disabled state. In order to check in which state it is running, we can make use of the getenforce command. There are two modes in which SELinux runs:
- Enforcing: This is the enabled state where all rules are applied
- Permissive: In this state, SELinux will not deny any access; however, denials are logged
We can change the SELinux modes from enforcing to permissive and vice versa during runtime by using the setenforce command. Before and after changing the SELinux mode, we must ensure the current mode by using the getenforce command.
View current SELinux mode
To view the current SELinux mode set on the system, use the below command:
# getenforce
Enforcing
Changing SELinux mode online
It’s possible to switch between the enforcing and permissive mode using the setenforce command. Use setenforce 0 to switch to the permissive mode and setenforce 1 to go back to the enforcing mode.
Let’s temporarily place the system into permissive mode:
# setenforce 0
# getenforce
Permissive
Now, these changes are temporary until we reboot the system. After a reboot, you’ll be back in enforcing mode. Also, note that a 0 after setenforce denotes that I’m setting permissive mode. To get back to enforcing mode simply use 1 instead of 0:
# setenforce 1
# getenforce
Enforcing
We’re now back in enforcing mode.
Changing SELinux modes permanently
In order to permanently change the SELinux mode to permissive in the above case, you’ll edit the file /etc/sysconfig/selinux. Here’s what it looks like by default:
# vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
The two important things you see here are that SELinux is in enforcing mode and that it’s using the targeted policy. To switch to permissive mode, just change the SELINUX= line, and save the file:
# vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
To view the SELinux mode after rebooting the system, use the “sestatus” command:
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Conclusion
Another way to temporarily change the SELinux mode is by passing a parameter to the kernel at boot time. Passing a kernel argument of enforcing=0 will boot the system in permissive mode for that instance and selinux=1 will boot the system in enforcing mode.