Controlling SELinux

The getenforce command gets the current mode of SELinux. It reports whether SELinux is Enforcing, Permissive, or Disabled.On a system with SELinux disabled, it will display the following:

[root@station20 ~]# getenforce

Disabled

On a system with SELinux in Permissive Mode, it will display:

[root@vbg ~]# getenforce

Permissive

On a system with SELinux in Enforcing Mode, the following will be displayed:

[root@vbg ~]# getenforce

Enforcing

setenforce modifies the mode SELinux is running in. It is used to toggle between Permissive and Enforcing mode when SELinux is enabled.

To activate “Enforcing mode” on an SELinux-enabled system, run:

[root@vbg ~]# setenforce 1

To check the current status, use getenforce. To activate Permissive SELinux mode, execute:

[root@vbg ~]# setenforce 0

The sestatus command is used to get the status of a system running SELinux. Apart from mentioning the current mode of SELinux, it gives more information about the SELinux policy.

On a system with SElinux disabled, it will display:

[root@station20 ~]# sestatus

SELinux status:                 disabled

On a System with SELinux in Permissive Mode, it will display:

[root@vbg ~]# sestatus

SELinux status:                 enabled

SELinuxfs mount:              /selinux

Current mode:                   permissive

Mode from config file:         permissive

Policy version:                   21

Policy from config file:        targeted

The first line informs us that SELinux is enabled in this system.

The second line is of great significance. It displays the mount point of the SELinux pseudo file system. This file system is quite like the proc and sys file systems, and contains run-time information about your SELinux mode and various other things.

You can change run-time parameters of the SELinux system by directly writing to the files in this pseudo file system. As an example, just issue this command as the root user:

[root@vbg ~]# echo 1 > /selinux/enforce

You will see that the mode of SELinux has changed from Permissive to Enforcing.

To return back to Permissive Mode, you can run either of the commands:

[root@vbg ~]# echo 0 > /selinux/enforce

or

[root@vbg ~]# setenforce 0

The third line mentions the current SELinux mode, whereas the fourth line mentions the SELinux mode under which the system booted.

The fifth line mentions the version number of the policy (we will come to this later in this series) and finally, the sixth line mentions the Policy loaded from the configuration file (/etc/sysconfig/selinux) at boot time.