Guide/Mode
Mode
There are 3 modes: enforcing, permissive, and disabled.
In enforcing mode SELinux policy will be enforced and is most useful in production systems. In permissive mode SELinux will not enforce policy, but will log any denials. permissive mode is used for debugging and policy development. In disabled mode SELinux policy will not be enforced (or logged).
It is not recommended to set an SELinux system into disabled mode. Doing so will almost certainly result in files on disk being mislabeled and require a relabel to fix. It is also not possible to change the mode of the system when it has been booted in disabled mode. It is best to set selinux into permissive mode instead.
The mode may be changed in the boot loader, selinux config, and at runtime with setenforce.
Grub
Ubuntu
In /boot/grub/menu.lst, find a line similar to this:
kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=1
An additional parameter 'enforcing=[0|1]' can be passed to set the mode:
kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=1 enforcing=0
In the example above the mode has been set to 'enforcing=0' (which means permissive).
SELinux may be disabled by changing 'selinux=1' to 'selinux=0'
kernel /boot/vmlinuz-2.6.28-11-generic root=UUID=5d8bcca0-b763-41b8-ab2c-d68880f8f4b5 ro quiet splash apparmor.enabled=0 selinux=0
Setting the mode at the command line overrides the setting in the selinux config /etc/selinux/config.
SELinux Config
The SELinux config file is /etc/selinux/config:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive
# SELINUXTYPE= can take one of these two values: # default - equivalent to the old strict and targeted policies # mls - Multi-Level Security (for military and educational use) # src - Custom policy built from source SELINUXTYPE=ubuntu
# SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
The mode can be changed by setting SELINUX to either enforcing, permissive, or disabled.
Mode set in the boot loader overrides the settings in this file.
Runtime
The mode can be changed between enforcing and permissive at runtime via the setenforce command:
# getenforce Permissive # setenforce 1 # getenforce Enforcing # setenforce 0 # getenforce Permissive