Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system.
It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM). Security Enhanced Linux (SELinux) provides an additional layer of system security.
we have two ways to check if SELinux is enabled or disabled in Linux.
Table of Contents
Different types of selinux security policy in Linux
SELINUX can take one of these three values:
- enforcing – SELinux security policy is enforced.
- permissive – SELinux prints warnings instead of enforcing.
- disabled – No SELinux policy is loaded.
Check selinux status with getenforce command in Linux
The getenforce command is a Linux command that is used to check the current enforcement mode of SELinux (Security-Enhanced Linux) on a system.
Open a terminal window and type getenforce at the prompt. The command will return the current SELinux mode of the system Enforcing, Permissive, or Disabled.
Check selinux status with sestatus command in Linux
sestatus is a Linux command used to view the status of SELinux (Security-Enhanced Linux).
If you enter “sestatus” in the command line, it will return the following information:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
“SELinux status” indicates whether SELinux is enabled, “Current mode” indicates the current execution mode of SELinux, and “Loaded policy name” indicates the current SELinux policy in use.
Other information includes the root directory of SELinux, SELinuxfs mount point, memory protection checking, and more.
Temporary solution to disable selinux in Linux
we can modify the mode SELinux is running in using the setenforce command.
To put SELinux in permissive mode. We can disable selinux this way.
sudo setenforce Permissive
sudo setenforce 0
For example, to put SELinux in enforcing mode, run:
sudo setenforce Enforcing
sudo setenforce 1
Permanently Disable selinux in Linux
- Edit the /etc/selinux/config file, run: sudo vi /etc/selinux/config
- Set SELINUX to disabled: SELINUX=disabled
- Save and close the file in vi/vim.
- Reboot the Linux system: sudo reboot