Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 2. Changing SELinux states and modes

Configure SELinux to run in enforcing, permissive, or disabled mode to control how the system enforces security policies. You can apply these states permanently or at boot time to troubleshoot access denials and ensure file systems are correctly labeled when enabling SELinux.

When enabled, SELinux can run in one of two modes: enforcing or permissive. By default, SELinux is enabled and runs in enforcing mode. Disabling SELinux or setting it to permissive mode prevents SELinux from protecting the system. Changing SELinux status by using the setenforce command is temporary and reverts after restart. To permanently change SELinux status, you must change SELinux configuration files or kernel parameters.

2.1. Permanent changes in SELinux states and modes
Copiar enlace

SELinux modes determine how the system enforces security policies and logs access violations. Configuring the correct mode maintains system security and prevents boot failures caused by file system relabeling when enabling SELinux from a disabled state.

SELinux operates in an enabled or disabled state. When enabled, SELinux runs in enforcing or permissive mode. For more information about these modes, see SELinux states and modes.

The getenforce command reports the current mode as Enforcing, Permissive, or Disabled.

The sestatus command reports the SELinux status and information about the loaded SELinux policy: 

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
Copy to Clipboard Toggle word wrap
Warning

When systems run SELinux in permissive mode, users and processes might label various file-system objects incorrectly. File-system objects created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because SELinux relies on correct labels of file-system objects.

To prevent incorrectly labeled and unlabeled files from causing problems, SELinux automatically relabels file systems when changing from the disabled state to permissive or enforcing mode. Use the fixfiles -F onboot command as root to create the /.autorelabel file containing the -F option to ensure that files are relabeled upon next reboot.

Before rebooting the system for relabeling, make sure the system will boot in permissive mode, for example by using the enforcing=0 kernel option. This prevents the system from failing to boot in case the system contains unlabeled files required by systemd before launching the selinux-autorelabel service. For more information, see RHBZ#2021835.

2.2. Changing SELinux to permissive mode
Copiar enlace

Configure SELinux to run in permissive mode to troubleshoot denial messages and debug security policies. In this mode, the system logs Access Vector Cache (AVC) events but does not enforce the active policy, so you can analyze impacts without blocking system operations. SELinux logs each denial only once.

Prerequisites

  • The selinux-policy-targeted, libselinux-utils, and policycoreutils packages are installed on your system.
  • The selinux=0 or enforcing=0 kernel parameters are not used.

Procedure

  1. Open the /etc/selinux/config file in a text editor and configure the SELINUX=permissive option: 

    # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
    Copy to Clipboard Toggle word wrap

  2. Restart the system: 

    # reboot
    Copy to Clipboard Toggle word wrap

Verification

  1. After the system restarts, confirm that the getenforce command returns Permissive: 

    $ getenforce
Permissive
    Copy to Clipboard Toggle word wrap

2.3. Changing SELinux to enforcing mode
Copiar enlace

Configure SELinux to run in enforcing mode to protect your system by denying unauthorized access. In this mode, the system enforces the loaded security policy and blocks policy violations. If you are enabling SELinux from a disabled state, the system automatically relabels files on the next boot.

When you install the system with SELinux, RHEL enables enforcing mode by default.

Prerequisites

  • The selinux-policy-targeted, libselinux-utils, and policycoreutils packages are installed on your system.
  • The selinux=0 or enforcing=0 kernel parameters are not used.

Procedure

  1. Open the /etc/selinux/config file in a text editor and configure the SELINUX=enforcing option: 

    # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
    Copy to Clipboard Toggle word wrap

  2. Save the change, and restart the system: 

    # reboot
    Copy to Clipboard Toggle word wrap

    On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled.

Verification

  1. After the system restarts, confirm that the getenforce command returns Enforcing: 

    $ getenforce
Enforcing
    Copy to Clipboard Toggle word wrap

Troubleshooting

After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules.

  • To view what actions SELinux denies, enter the following command as root: 

    # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today
    Copy to Clipboard Toggle word wrap

  • Alternatively, with the setroubleshoot-server package installed, enter: 

    # grep "SELinux is preventing" /var/log/messages
    Copy to Clipboard Toggle word wrap

  • If SELinux is active and the Audit daemon (auditd) is not running on your system, then search for certain SELinux messages in the output of the dmesg command: 

    # dmesg | grep -i -e type=1300 -e type=1400
    Copy to Clipboard Toggle word wrap

See Troubleshooting problems related to SELinux for more information.

2.4. Enabling SELinux on systems that previously had it disabled
Copiar enlace

Enable SELinux on systems that previously had it disabled to restore security protections and enforce mandatory access control. You must first run the system in permissive mode and relabel the file system to prevent boot failures caused by missing or incorrect security labels.

File-system objects created while SELinux is disabled do not have security labels. This lack of labels causes failures when changing directly to enforcing mode because the system relies on correct contexts to make access decisions.

Warning

Before rebooting the system for relabeling, make sure the system will boot in permissive mode, for example by using the enforcing=0 kernel option. This prevents the system from failing to boot in case the system contains unlabeled files required by systemd before launching the selinux-autorelabel service. For more information, see RHBZ#2021835.

Procedure

  1. Enable SELinux in permissive mode. For more information, see Changing SELinux to permissive mode.

  2. Restart your system: 

    # reboot
    Copy to Clipboard Toggle word wrap
  3. Check for SELinux denial messages. For more information, see Identifying SELinux denials.

  4. Ensure that files are relabeled upon the next reboot: 

    # fixfiles -F onboot
    Copy to Clipboard Toggle word wrap

    This creates the /.autorelabel file containing the -F option.

    Warning

    Always switch to permissive mode before entering the fixfiles -F onboot command.

    By default, autorelabel uses as many threads in parallel as the system has available CPU cores. To use only a single thread during automatic relabeling, use the fixfiles -T 1 onboot command.

  5. If there are no denials, switch to enforcing mode. For more information, see Changing SELinux modes at boot time.

Verification

  1. After the system restarts, confirm that the getenforce command returns Enforcing: 

    $ getenforce
Enforcing
    Copy to Clipboard Toggle word wrap

Next steps

To run custom applications with SELinux in enforcing mode, choose one of the following scenarios:

  • Run your application in the unconfined_service_t domain.
  • Write a new policy for your application. See the Writing a custom SELinux policy section for more information.

2.5. Disabling SELinux
Copiar enlace

Disable SELinux by configuring the kernel command line to completely deactivate the security infrastructure. Use this mode only when necessary, because it stops the system from labeling files and makes re-enabling SELinux difficult.

When you disable SELinux, your system does not load the security policy or log Access Vector Cache (AVC) messages. Therefore, all benefits of running SELinux are lost.

Warning

Do not disable SELinux except in specific scenarios, such as performance-sensitive systems where weakened security is acceptable.

If you must debug your system in a production environment, temporarily use permissive mode instead of permanently disabling SELinux. See Changing to permissive mode for more information about permissive mode.

Prerequisites

  • The grubby package is installed: 

    $ rpm -q grubby
grubby-<version>
    Copy to Clipboard Toggle word wrap

Procedure

  1. Configure your boot loader to add selinux=0 to the kernel command line: 

    $ sudo grubby --update-kernel ALL --args selinux=0
    Copy to Clipboard Toggle word wrap

  2. Restart your system: 

    $ reboot
    Copy to Clipboard Toggle word wrap

Verification

  • After the reboot, confirm that the getenforce command returns Disabled: 

    $ getenforce
Disabled
    Copy to Clipboard Toggle word wrap

2.6. SELinux kernel boot parameters
Copiar enlace

Kernel boot parameters control the SELinux mode and system initialization at boot time. You can use these parameters to override the default security configuration during system startup.

enforcing=0

Setting this parameter causes the system to start in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is corrupted. Moreover, in permissive mode, the system creates labels correctly. The AVC messages generated in this mode can be different than in enforcing mode.

In permissive mode, the system reports only the first denial from a series of the same denials. However, in enforcing mode, you might get a denial related to reading a directory, and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial.

selinux=0

This parameter causes the kernel to not load any part of the SELinux infrastructure. The init scripts detect that the system booted with the selinux=0 parameter and touch the /.autorelabel file. This causes the system to automatically relabel the next time you boot with SELinux enabled.

Important

Do not use the selinux=0 parameter in a production environment. To debug your system, temporarily use permissive mode instead of disabling SELinux.

autorelabel=1

This parameter forces the system to relabel similarly to the following commands: 

# touch /.autorelabel
# reboot
Copy to Clipboard Toggle word wrap

If a file system contains a large amount of mislabeled objects, start the system in permissive mode to ensure the autorelabel process succeeds.

For additional SELinux kernel boot parameters, such as checkreqprot, see the /usr/share/doc/kernel-doc-<KERNEL_VER>/Documentation/admin-guide/kernel-parameters.txt file installed with the kernel-doc package. Replace the <KERNEL_VER> string with the version number of the installed kernel, for example:

+ 

# dnf install kernel-doc
$ less /usr/share/doc/kernel-doc-6.12.0-55.9.1/Documentation/admin-guide/kernel-parameters.txt
Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba