6.5.2 Changing the SELinux Mode

SELinux supports enforcing, permissive, and disabled modes. Enforcing mode is the default. Permissive mode allows operations that are not permitted in enforcing mode and logs those operations to the SELinux audit log. Permissive mode is typically used when developing policies or troubleshooting. In disabled mode, polices are not enforced, and contexts are not applied to system objects, which makes it difficult to enable SELinux later.

To view the current SELinux mode, use the sestatus command mentioned previously or the getenforce utility.

shell> getenforce
Enforcing

To change the SELinux mode, use the setenforce utility:

shell> setenforce 0
shell> getenforce
Permissive
shell> setenforce 1
shell> getenforce
Enforcing

Changes made with setenforce are lost when you restart the system. To permanently change the SELinux mode, edit the /etc/selinux/config file and restart the system.