getenforce

Display the current mode of SELinux

$ getenforce

getenforce

The getenforce command is a simple utility used to determine the current SELinux (Security-Enhanced Linux) mode of operation on a Linux system. SELinux provides an extra layer of security by enforcing access control policies that limit the actions that processes and users can perform. getenforce queries the SELinux kernel policy to discover the current mode.

The output of getenforce will be one of the following three states: Enforcing, Permissive, or Disabled. Enforcing mode means SELinux is actively blocking actions that violate the policy. Permissive mode means SELinux logs policy violations but does not block the actions. Disabled mode means SELinux is not active at all.

Understanding the SELinux mode is crucial for troubleshooting security issues and configuring the system for desired security levels. getenforce is commonly used in scripts and system administration tasks to check the SELinux status.

getenforce only reports the *current* status of SELinux. Changes to SELinux configuration may require a reboot to take full effect.

The getenforce command returns an exit status of 0 if it successfully determines the SELinux mode. It returns a non-zero exit status if an error occurs, such as if SELinux is not enabled or if there is a problem accessing the SELinux kernel policy. This can be use in scripting and automation tasks.

SELinux was integrated into the Linux kernel in 2.6 and getenforce command was created to check current state of the module. Prior to the widespread adoption of SELinux, it was less common to check, now is a crucial command to know SELinux's current state.

setenforce(8), sestatus(1), selinuxenabled(1), chcon(1)