LinuxCommandLibrary

semanage-permissive

Manage per-domain SELinux permissive mode

TLDR

List all process types in permissive mode

$ sudo semanage permissive -l
copy
Set permissive mode for a domain
$ sudo semanage permissive -a [httpd_t]
copy
Unset permissive mode for a domain
$ sudo semanage permissive -d [httpd_t]
copy

SYNOPSIS

semanage permissive [-l|-a|-d] [domain]

DESCRIPTION

semanage permissive manages per-domain permissive mode in SELinux. When a domain is set to permissive, SELinux logs policy violations but does not enforce them for processes in that domain.
This provides more granular control than global permissive mode (setenforce 0), allowing specific services to be unconfined while the rest of the system remains in enforcing mode.

PARAMETERS

-l, --list

List all domains in permissive mode
-a, --add
Add a domain to permissive mode
-d, --delete
Remove a domain from permissive mode

CAVEATS

Permissive domains are effectively unconfined and should only be used for troubleshooting. For production systems, configure proper SELinux policy rules instead of leaving domains in permissive mode. Requires root privileges.

SEE ALSO

semanage(8), setenforce(8), getenforce(8), audit2allow(1)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community