1.6.1.4 Ensure the SELinux mode is enforcing or permissive - getenforce

Information

SELinux can run in one of three modes: disabled, permissive, or enforcing:

Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.

Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development.

Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future

Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive:

# semanage permissive -a httpd_t

Rationale:

Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

Solution

Run one of the following commands to set SELinux's running mode:
To set SELinux mode to Enforcing:

# setenforce 1

OR
To set SELinux mode to Permissive:

# setenforce 0

Edit the /etc/selinux/config file to set the SELINUX parameter:
For Enforcing mode:

SELINUX=enforcing

OR
For Permissive mode:

SELINUX=permissive

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv7|14.6

Plugin: Unix

Control ID: 9d4993f161cd9f5374d8ff858f3a349d268be5d1e5719afab0672e8f3c4550b3