SELinux/States

SELinux can be easily disabled or put in a more permissive mode. For many administrators, disabling SELinux is used as a fast way of working around permission failures on a system. However, disabling SELinux is similar to removing a firewall between systems because it was preventing a network connection. Sure, the access is now allowed, but administrators ought to look at the reason why the failure occurred and resolve that, rather than removing the security measure itself.

Introduction
SELinux can be disabled or enabled. When enabled, it can be in a permissive mode or enforcing mode. When running in enforcing mode, it is possible to mark specific domains as permissive.

Enabled or not
When the Linux kernel has SELinux support enabled (which is of course a prerequisite for having an SELinux-enabled system) the SELinux subsystem starts in a permissive mode (unless the  kernel boot parameter is used). The Linux init system then locates the SELinux policy and SELinux configuration file. If the configuration has  then SELinux will not do anything further and has the system boot without SELinux support.

Assuming  or , then the SELinux policy is loaded. If no policy can be found, but  is set, then the system will freeze; otherwise the system will continue to boot without SELinux (as no policy could be found). In most cases though, the init system will successfully load the SELinux policy and the system will boot further with SELinux enabled.

Permissive or enforcing
When SELinux is configured to start in permissive mode (or through the  kernel parameter) then SELinux is enabled and will log every action that it would deny. However, as the name implies, SELinux will not actually enforce any policy decisions.

That doesn't mean that the system will behave as if there is no SELinux though. Some applications are SELinux-aware, meaning that their code checks SELinux information (policies, but also SELinux state) and alters its own behavior based on this information. If such a SELinux-aware application does not properly check the mode (permissive or not) then it might deny any action that the policy says shouldn't occur - even if SELinux is running in permissive mode.

In enforcing mode of course, the SELinux security subsystem will enforce policy decisions.

Permissive domains
The SELinux policy supports marking domains as permissive. In this case, the mentioned domain runs in a permissive mode (SELinux will not enforce policy decisions for any action taken by that domain) while the rest of the system is in enforcing mode.

Disabling SELinux
To disable SELinux, it is sufficient to edit and set.

Then reboot the system.

To disable SELinux during a single boot, it is also possible to use the  kernel boot parameter.

Switching permissive and enforcing mode
To mark SELinux in permissive or enforcing mode, edit and set   to permissive or enforcing depending on the requirement.

Then reboot the system.

It is also possible to switch between permissive and enforcing mode directly. For this, the  command can be used.

For instance, to have SELinux run in permissive mode:

Querying current SELinux state
The current state of SELinux can be obtained through the  command:

Listing permissive domains
With, the current list of permissive domains can be queried:

Marking a domain as permissive
To mark a domain as permissive domain, use :

Removing the permissive state of a domain
To remove a permissive state from a domain, use :