How to Change SELinux Modes

Updated by Linode

Contribute on GitHub

View Project | View File | Edit File

Security Enhanced Linux is a Linux security module for mandatory or role-baed access control. SELinux is packaged with CentOS and Fedora by default, and can be running in one of three modes: disabled, permissive or enforcing.

Ideally, you want to keep SELinux in enforcing mode, but there may be times when you need to set it to permissive mode, or disable it altogether. Note that the disabled state means the daemon is still running and is still enforcing rules for discretionary access control, however no MAC security policies are being used, and no violations are being logged.

To use SELinux on CentOS or Fedora, you must use the upstream kernel–you can not use the Linode kernel. If you need help booting the distribution-supplied kernel, see our guide on the topic.

  1. View the current enforcement mode of SELinux on your system using sestatus. You can see below that SELinux is set to permissive mode.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    [root@centos ~]# sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   permissive
    Mode from config file:          permissive
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Max kernel policy version:      28
    
  2. Change to enforcing mode using setenforce. This will be for the current runtime session only. You’ll need to edit the SELinux configuration file if you want the setting to survive a reboot.

    1
    2
    setenforce 0    # Set to permissive mode.
    setenforce 1    # Set to enforcing mode.
    
  3. Edit the SELinux configuration file so your mode change will survive reboots. The sed command below is given as an example, and will switch from permissive to enforcing mode. For a different mode configuration, just substitute the two words in the command with the mode you currently have, and the one you want to enable (ex. disabled to permissive).

    1
    sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config
    

    If you prefer to edit the file manually, it should look like this:

    /etc/selinux/config
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
      # This file controls the state of SELinux on the system.
      # SELINUX= can take one of these three values:
      #     enforcing - SELinux security policy is enforced.
      #     permissive - SELinux prints warnings instead of enforcing.
      #     disabled - No SELinux policy is loaded.
      SELINUX=enforcing
      # SELINUXTYPE= can take one of three two values:
      #     targeted - Targeted processes are protected,
      #     minimum - Modification of targeted policy. Only selected processes are protected.
      #     mls - Multi Level Security protection.
      SELINUXTYPE=targeted
    
  4. Reboot your Linode. During the bootup process, SELinux may need to run a relabeling of the filesystem. It will handle this automatically and when it’s done, it’ll reboot the system. If you do not have Lassie enabled, the Linode will shut down and you will need to manually reboot in the Linode Manager.

    SELinux filesystem relabel

  5. When your Linode boots back up, log in and verify that SELinux is now running in the new enforcement mode. Run sestatus again. The output should show that you’re in the mode you set in steps 2 and 3 above.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    [root@centos ~]# sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Max kernel policy version:      28
    

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This guide is published under a CC BY-ND 4.0 license.