setenforce

Put SELinux in enforcing mode

$ setenforce [1|Enforcing]

$ setenforce [0|Permissive]

setenforce { Enforcing | Permissive | 1 | 0 }

1 or Enforcing
    Sets SELinux to enforcing mode. In this mode, SELinux actively denies operations that violate its security policy and logs these denials.

0 or Permissive
    Sets SELinux to permissive mode. In this mode, SELinux does not deny operations, but it still logs policy violations, allowing for analysis without preventing application functionality.

The setenforce command is a crucial utility within the Security-Enhanced Linux (SELinux) framework, allowing system administrators to instantly modify the operating mode of SELinux.

SELinux enforces mandatory access control policies and typically operates in one of three states: enforcing, permissive, or disabled. While disabled mode requires a system reboot and modification of configuration files, setenforce enables seamless switching between enforcing and permissive modes without interruption.

In enforcing mode, SELinux actively blocks any operations that violate its security policy. In contrast, permissive mode allows all operations to proceed but logs any policy violations, making it invaluable for debugging and developing SELinux policies. This immediate control helps in identifying and resolving access issues without disrupting services, as one can quickly toggle the mode to observe behavior or gather audit logs.

• Requires root privileges to execute.
• Changes made by setenforce are not persistent across system reboots; the system will revert to the mode defined in /etc/selinux/config.
• It cannot set SELinux to disabled mode. Disabling SELinux requires editing /etc/selinux/config and rebooting the system.
• This command does not relabel file systems. If file contexts are incorrect, commands like restorecon or fixfiles are needed.

The state set by setenforce is temporary and only lasts until the next system reboot. To make a change permanent, you must modify the SELINUX entry in the /etc/selinux/config file (e.g., SELINUX=enforcing or SELINUX=permissive) and then reboot the system.

One of the most common uses of setenforce is during troubleshooting. By switching to permissive mode (setenforce 0), administrators can determine if an application failure is related to SELinux policy denials. If the application functions correctly in permissive mode, it indicates an SELinux issue, which can then be investigated further by examining audit logs, typically found at /var/log/audit/audit.log.

setenforce is a core component of the SELinux framework, which traces its origins back to the National Security Agency (NSA) and its efforts to enhance security in Linux. Integrated into the mainline Linux kernel around 2000, SELinux, along with utilities like setenforce, became a standard security feature in enterprise-grade Linux distributions such as Red Hat Enterprise Linux (RHEL) and Fedora. Its simple, immediate function reflects the practical need for administrators to quickly diagnose and manage SELinux policy issues without requiring a full system restart, making it an indispensable tool for daily operations and troubleshooting.

getenforce(8), selinux(8), semanage(8), sestatus(8), restorecon(8), fixfiles(8)