1.6.1.5 Ensure the SELinux mode is enforcing - getenforce

Information

SELinux can run in one of three modes: disabled, permissive, or enforcing:

Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.

Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development.

Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future

Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive:

# semanage permissive -a httpd_t

Rationale:

Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations.

Impact:

SELinux in enforcing mode may interfere with the operation of some software

Solution

Run the following command to set SELinux's running mode:

# setenforce 1

Edit the /etc/selinux/config file to set the SELINUX parameter:
For Enforcing mode:

SELINUX=enforcing

Default Value:

SELINUX=enforcing

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv7|14.6

Plugin: Unix

Control ID: d4df360b607629cf94d7e83601a70c487f98f6aa2f838035597c00b4c70d0b9d