SELinux Modes Explained with Examples

There are three SELinux modes: Disabled, Permissive, and Enforcing. SELinux can work only in one mode at a time. In the disabled mode, it does not filter any access request. In permissive mode, it logs all access requests but does not control them. In enforcing mode, it logs all access requests and allows or denies each request based on the SELinux policy.

The disabled mode completely turns off SELinux. If SELinux is enabled, it will be in either Permissive or Enforcing mode. In the permissive mode, it only monitors access requests. In the enforcing mode, it filters access requests.

Let us take an example. Suppose an FTP user executes the following command to access his home directory.

$ftp LinxuServer.com

The system will take the following actions.

Generate a SysCall (System Call) for the FTP server and check the SELinux status.
If disabled, it processes the SysCall normally.
If enabled in Permissive mode, it creates a log entry in the /var/log/audit/audit.log file and processes the SysCall.
If enabled in Enforcing mode, it creates a log entry and checks security policies.
- If allowed, it processes the SysCall.
- If denied, it terminates the SysCall.

Viewing SELinux Status and Mode

Linux offers two commands to show the SELinux status and mode. These are the sestaus and getenforce commands. The sestaus command provides detailed information, whereas the getenforce command only shows the name of the current mode.

#sestaus
#getenforce

Changing SELinux mode

SELinux allows us to switch between Enforcing and Permissive mode in the current session. We can use this feature for troubleshooting. For example, suppose an FTP user cannot access his home directory, and we want to know whether the issue is related to SELinux. In that case, we can switch between these modes to verify this. If the user can access his home directory in Permissive mode but not in Enforcing mode, we can assume that SELinux is blocking the user. If not, the issue is not related to SELinux. SELinux does not block anything in Permissive mode.

The setenforce command allows us to switch between Permissive and Enforcing modes. It accepts the mode's name or value as an argument. The value zero (0) sets the mode to Permissive. The value one (1) sets the mode to Enforcing.

The following commands change and verify the mode to Permissive.

#setenforce 0
 or
#setenforce permissive
#getenforce

The following commands change and verify the mode to Enforcing.

#setenforce 1
 or
#setenforce enforcing
#getenforce

SELinux does not allow us to switch between enabled (enforcing or permissive) and disabled mode in the running session. A system restart is required to switch between these modes.

The SELINUX directive in the /etc/sysconfig/selinux file saves the default mode's name. To switch between enabled and disabled mode, we have to update this directive's value. Linux reads this file at startup and sets the SELinux mode to the mode specified in this directive.

Exercise

Check the current SELinux mode.

#getenforce
#grep -v ^# /etc/sysconfig/selinux

Change the SELinux mode to disabled in the /etc/sysconfig/selinux file.

#vim /etc/sysconfig/selinux
SELINUX=disabled
:wq

Recheck the current SELinux mode to verify the change does not apply in the current session.

#getenforce
#grep -v ^# /etc/sysconfig/selinux

Reboot the system.

#reboot -f

Check the SELinux mode and verify the update.

#grep -v ^# /etc/sysconfig/selinux
#getenforce

Change SELinux mode to permissive and enforcing to verify SELinux does not allow switching between enabled and disabled moded in the running session.

#setenforce 0
#setenforce 1

Change the SELinux mode to permissive or enforcing in the /etc/sysconfig/selinux file and restart the system.

#vim /etc/sysconfig/selinux
SELINUX=enforcing
:wq
#reboot -f

Verify the SELinux mode.

#getenforce

Key points

SELinux works in three modes: disabled, permissive, and enforcing.
In Disable mode, it does not interfere with system calls.
In Permissive mode, it logs each system call but does not filter any access request.
In Enforcing mode, it logs each system call and filters it using configured security policies. Based on security policy, it allows or denies the request.
The/etc/sysconfig/selinux file saves the default mode.
Enforcing mode is the default mode.
The boot process checks and sets the default mode. It loads SELinux libraries if the default mode is permissive or enforcing. If set to disabled, it skips all libraries related to SELinux.
We can switch between enforcing and permissive modes in the running sessions. Switching between enable (enforcing and permissive) and disabled mode requires a reboot.
If SELinux is disabled, nothing will go through the SELinux. If SELinux is enabled, everything will go through SELinux.

This tutorial is part of the tutorial " SELinux Explained with Examples.". Other parts of this tutorial are as follows:

Chapter 1  Basic concepts and fundamentals of SELinux
Chapter 2  SELinux and AppArmor Differences and Terminology
Chapter 3  SELinux Modes Explained with Examples
Chapter 4  SELinux Contexts for Users, Processes, and Files
Chapter 5  Copying, Moving, and Archiving Files with SELinux Contexts
Chapter 6  SELinux Explained with Examples in Easy Language
Chapter 7  SELinux Booleans Explained with Examples
Chapter 8  Troubleshooting SELinux explained with Booleans

Conclusion

This tutorial explained what SELinux modes are and how they work. It also explained switching between them on a running system temporarily and permanently. A permanent switch requires a system reboot.

By ComputerNetworkingNotes Updated on 2026-02-07