getenforce

Display the current mode of SELinux

$ getenforce

getenforce [-h | --help] [-V | --version]

-h, --help
    Display this help message and exit

-V, --version
    Show version information

The getenforce command queries and prints the current SELinux enforcement status on a Linux system. SELinux (Security-Enhanced Linux) operates in three modes: Enforcing (policy rules are enforced and violations are blocked/logged), Permissive (violations are logged but not blocked, useful for testing), and Disabled (SELinux is completely turned off).

This tool reads the enforce value from the SELinux pseudo-filesystem (/sys/fs/selinux/enforce) or falls back to kernel boot parameters if unavailable. It is essential for system administrators to verify SELinux status during troubleshooting, auditing, or mode changes. Output is a single word matching one of the modes, making it ideal for scripting (e.g., if getenforce | grep -q Enforcing). Part of the libselinux-utils package, it requires no arguments for standard use.

Requires SELinux support in the kernel; reports Disabled if SELinux is compiled out or boot-time disabled. Does not change mode—use setenforce for that.

Exactly one of: Enforcing, Permissive, Disabled.

0 if Enforcing or Permissive; 1 if Disabled or error.

Developed as part of the SELinux project by the NSA, integrated into mainline Linux kernel since 2.6.0 (2003). getenforce utility from libselinux tools, with versions tracking SELinux policy evolution.

setenforce(8), sestatus(1), getsebool(8)