Tag Archives: enforcing

SELinux Configuration

With SELinux activated on your kernel, you need to know which mode and policy (ex: targeted, MLS) you are running.

SELinux mode is used to enable/disable SELinux, whereas the policy is about the philosophy used to enhance security within your system, targeted is the commonly used policy and also the default one.

SELinux Modes are:

  • Enforcing: respect your policy rules.
  • Permissive:This  mode will not use policy rules to deny access but it will log everything the policy would prevent.
  • Disabled.

When use Permissive mode?

If your sysem wasn’t initially using SELinux and you would like to go on with Enforcing mode, use permissive mode and audit all the denials you get when running your applications.

If auditd is installed and running, check audit.log logs for type=AVC messages with denied string:

#grep denied /var/log/audit/audit.log



You can also use audit2allow command to check SELinux denials and follow the output recommandations:




You can then go on with Enforcing mode after some work on your policy adding and updating the rules you need to correctly run your applications.

You should reboot your OS if you go from permissive to disabled mode and vice-versa.


Here is your set of tools to manipulate SELinux mode and policy:


  • sestatus command:

Use sestatus command to see the current configuration in your system.
you can see below I’m using enforcing mode and targeted policy.




  • getenforce, setenforce commands

getenforce command returns SELinux mode currently running, and you can configure the mode with setenforce {0,1} command as follows:




You can also configure your SELinux mode and policy by editing the appropriate section in the /etc/selinux/config file:


# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing – SELinux security policy is enforced.

#     permissive – SELinux prints warnings instead of enforcing.

#     disabled – No SELinux policy is loaded.


# SELINUXTYPE= can take one of these two values:

#     targeted – Targeted processes are protected,

#     mls – Multi Level Security protection.



Don’t freak out if SELinux policy lacks some necessary rules for your application :), you can always add new rules by creating SELinux modules using audit2allow , but this is not the goal of this post. I’ll write another one for customized policies :p