semanage-permissive

List all process types (a.k.a domains) that are in permissive mode

$ sudo semanage permissive [[-l|--list]]

$ sudo semanage permissive [[-a|--add]] [httpd_t]

$ sudo semanage permissive [[-d|--delete]] [httpd_t]

semanage permissive -l
semanage permissive -a type_name
semanage permissive -d type_name

-a, --add
    Adds the specified SELinux type_name to the list of permissive domains. This change is persistent across reboots.

-d, --delete
    Deletes the specified SELinux type_name from the list of permissive domains. This re-enables SELinux enforcement for that domain. This change is persistent across reboots.

-l, --list
    Lists all currently configured SELinux permissive domains.

type_name
    The name of the SELinux type (domain) to be added or deleted. This is typically the name of a process domain, e.g., httpd_t or sshd_t.

The semanage-permissive command is a crucial subcommand of the broader semanage utility, which is used for managing SELinux policies on a Linux system. Specifically, semanage-permissive allows system administrators to add, delete, or list SELinux types (domains) that are configured to operate in a "permissive" mode. When a domain is set to permissive, SELinux policy rules related to that specific domain are not enforced. Instead of blocking actions that would normally be denied by the policy, SELinux will merely log these potential denials to the system's audit log (typically /var/log/audit/audit.log or via the systemd journal).

This functionality is invaluable during the development and troubleshooting of new applications or custom SELinux policies. It enables developers to identify and analyze all policy violations without causing the application to malfunction or crash due to SELinux enforcement. After identifying the necessary policy adjustments by reviewing the audit logs, administrators can then refine their SELinux rules. Once a policy is deemed correct and stable, the domain can be removed from the permissive list, restoring full SELinux enforcement for that service or application.

It's important to understand that while permissive mode is excellent for debugging, it inherently reduces the security posture for the specific domains involved, as malicious activities within a permissive domain will not be actively blocked by SELinux. Therefore, it is generally recommended to use semanage-permissive as a temporary measure and to revert domains to enforcing mode as soon as possible after debugging is complete.

Reduced Security Posture: While a domain is permissive, SELinux will not enforce its policy for that domain, meaning potential security threats or policy violations within that domain will not be blocked, only logged.

Debugging Tool, Not a Permanent Solution: semanage-permissive is primarily designed for troubleshooting and policy development. Leaving domains permanently permissive undermines the security benefits of SELinux and is generally not recommended for production environments.

Requires Administrative Privileges: This command modifies core SELinux policy and requires root privileges or equivalent permissions to execute successfully.

Unlike some other SELinux changes (e.g., setenforce 0 for global permissive mode), modifications made using semanage-permissive are written to the SELinux policy store and persist across system reboots. This means you do not need to re-apply the permissive setting after a system restart.

To check which domains are currently set to permissive, you can use the command semanage permissive -l. Additionally, you can review the system's audit logs (e.g., with ausearch -m AVC -ts today -i) for denial messages from the domain in question; if they appear but the action wasn't blocked, the domain is likely permissive or the policy allows it.

The semanage utility, of which semanage-permissive is a subcommand, emerged as part of the broader effort to simplify SELinux policy management for system administrators. Developed by the National Security Agency (NSA) in collaboration with various open-source communities, SELinux aimed to provide mandatory access control (MAC) capabilities to Linux. Early SELinux management often involved complex direct policy modifications. semanage was introduced to provide a higher-level, more user-friendly interface to manage persistent policy components like file contexts, port contexts, boolean settings, and permissive domains. Its integration into major distributions like Red Hat Enterprise Linux (RHEL) and Fedora significantly increased its adoption and usage among system administrators for easier debugging and deployment of SELinux-hardened systems.

semanage(8), setenforce(8), auditd(8), ausearch(8), audit2allow(1), chcon(1), restorecon(8)