SELinux has three modes:
Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.
Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.
Disabled: SELinux is disabled. Only DAC rules are used.
Use the /usr/sbin/setenforce
command to change between enforcing and permissive mode. Changes made with /usr/sbin/setenforce
do not persist across reboots. To change to enforcing mode, as the Linux root user, run the /usr/sbin/setenforce 1
command. To change to permissive mode, run the /usr/sbin/setenforce 0
command. Use the /usr/sbin/getenforce
command to view the current SELinux mode.
Persistent mode changes are covered in Section 5.4, “Enabling and Disabling SELinux”.