LinuxCommandLibrary

getenforce

Check SELinux enforcing mode status

TLDR

Display the current mode of SELinux

$ getenforce
copy

SYNOPSIS

getenforce

DESCRIPTION

getenforce is a command-line utility used on Linux systems with SELinux (Security-Enhanced Linux) enabled. Its primary function is to display the current enforcement mode of SELinux.

SELinux operates in one of three modes:

  • Enforcing: SELinux security policy is active and enforced. All denials are logged, and actions are prevented according to the policy.
  • Permissive: SELinux security policy is active, but only warnings/denials are logged. Actions that would be denied in enforcing mode are permitted, making it useful for testing or debugging policies.
  • Disabled: SELinux is completely turned off. No policy is loaded, and no security checks are performed by SELinux.
The command outputs one of these three strings, indicating the current state of SELinux enforcement on the system. It's a quick way for administrators and users to ascertain the immediate security posture concerning SELinux.

CAVEATS

The getenforce command only displays the current SELinux enforcement mode. It does not provide information about why SELinux is in that mode, nor does it allow for changing the mode. To change the mode, one would typically use setenforce for a runtime change or modify /etc/selinux/config for a persistent change requiring a reboot.

If SELinux is not installed or enabled on the system, getenforce might not be available or might report an error.

RETURN VALUES

The command exits with a status code of 0 upon successful execution. It typically outputs the current enforcement mode (Enforcing, Permissive, or Disabled) to standard output.

USAGE EXAMPLE

To check the current SELinux enforcement status:
$ getenforce
Enforcing

This example shows that SELinux is currently operating in 'Enforcing' mode.

HISTORY

SELinux was originally developed by the United States National Security Agency (NSA) to provide a mechanism for mandatory access control (MAC) on Linux systems. It was released to the open-source community in 2000 and integrated into the Linux kernel mainline in 2003. getenforce, along with setenforce, became part of the selinux-utils or policycoreutils packages, providing simple command-line interfaces to query and modify the basic SELinux enforcement state. Its design is intentionally minimalistic to provide a quick, unambiguous status check.

SEE ALSO

setenforce(8), sestatus(8), selinux(8), semanage(8)

Copied to clipboard