LINUX // RHCE 6 Study Guide // Manage System Security // how to change SELinux modehow to change SELinux mode
In this article I would cover following RHCSA exam objectives
- How to set enforcing mode for SELinux
- How to set permissive mode for SELinux
- How to disable SELinux
SELinux is including in default installation of RHEL6. When you install RHEL6 SELinux is automatically installed with enforcing mode. But for exam you should know which rpm packages are required for SELinux.
For SELinux following rpm are required.
- selinux
- policycoreutils
- setroubleshoot
- selinux-policy-targeted
- selinux-policy
- libselinux
- libselinux-python
- libselinux-utils
- policycoreutils-python
- setroubleshoot-server
- setroubleshoot-plugins
This article assumes that above packages are installed. If these packages are not installed, install them first. Before going further make sure you have all required packaged installed. Use the rpm -qa | grep selinux, rpm -q policycoreutils, and rpm -qa | grep setroubleshoot commands to confirm that the SELinux packages are installed.
rpm -qa | grep selinux rpm -qa | grep policycoreutils rpm -qa | grep setroubleshoot
how to check that SELinux is running
To determine the current status of SELinux use sestatus command
As suggested in the RHCSA objectives, you need to know how to “Set enforcing or permissive modes for SELinux.” There are three available modes for SELinux: enforcing, permissive, and disabled.
| disabled | SELinux is turned off and does not restrict any action. |
| permissive | In permissive mode any SELinux security violation would be logged only, it means in permissive mode security violation would not be stopped. |
| enforcing | In enforcing mode any SELinux security violation would be logged and service would stop. Any action that violate SELinux rule would be denied. |
Configuring SELinux
You can change the mode in which SELinux operates by changing the config file. The main config file is /etc/selinux/config.
Before SELinux is enabled, each file on the file system must be labeled with a SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in /etc/selinux/config
open configuration file
set mode to permissive and save file
Now reboot the system.
During the next boot, file systems are labeled. The label process labels all files with a SELinux context. In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode.
After reboot you could verify that system is in permissive mode
Before changing to enforcing mode run the grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot.
If SELinux did not deny actions during the last boot, this command does not return any output.
If there were no denial messages in /var/log/messages, open /etc/selinux/config file
configure SELINUX=enforcing in /etc/selinux/config:
Reboot your system.
After reboot, confirm that the getenforce command returns Enforcing:
or you could sestatus command
disabling of SELinux is straightforward
open configuration file
change the mode to disable in configuration file
reboot the system
after reboot confirm the status
Search more about
Search in Google for
