How to set SELinux to permissive mode

SELinux or Linux with enhanced security, that is, the security mechanism of Linux-based systems is by default based on Mandatory Access Control (MAC). To implement this access control model, SELinux uses a security policy that explicitly specifies all the rules regarding access control. Based on these rules, SELinux decides whether to grant or deny access to any object to the user.

In today’s article, we would like to share with you the methods for installing SELinux in “Permissive” mode after reviewing the important details.

What is SELinux Permissive Mode?

“Permissive” mode is also one of the three modes in which SELinux operates, ie “Enforcing”, “Permissive”, and “Disabled”. These are three specific categories of SELinux modes, whereas in general we can say that in any particular case SELinux will be either “enabled” or “disabled”. Both Enforcing and Permissive modes fall under the Enabled category. In other words, this means that whenever SELinux is enabled, it will run in either forced or permissive mode.

This is why most users get confused between “Enforcing” and “Permissive” modes, because, after all, they both fall under the “Enabled” category. We would like to make a clear distinction between the two by first defining their goals and then comparing them to an example. “Enforcing” mode works by enforcing all of the rules set out in the SELinux security policy. It blocks access to all users who are denied access to a specific object in the security policy. Moreover, this action is also logged in the SELinux log file.

On the other hand, the “Permissive” mode does not block unwanted access, but simply writes all such actions to the log file. Therefore, this mode is mainly used for bug tracking, auditing, and adding new security policy rules. Now consider the example of user “A” who wants to access a directory named “ABC”. The SELinux security policy mentions that user “A” will always be denied access to directory “ABC”.

Now, if your SELinux is enabled and running in Enforcing mode, then whenever user A tries to access directory ABC, access will be denied and this event will be written to the log file. On the other hand, if your SELinux is running in “Permissive” mode, then user “A” will be allowed access to the “ABC” directory, but still this event will be written to the log file so that the administrator can know where the security breach occurred.

Methods to Install SELinux in Permissive Mode on CentOS 8

Now that we have fully understood the purpose of SELinux “Permissive” mode, we can easily talk about the methods for setting SELinux “Permissive” mode on CentOS 8. However, before moving on to these methods, it is always a good idea to check the default SELinux state by running the following command in in your terminal:

$ sestatus

Method to temporarily install SELinux in Permissive mode in CentOS 8

Temporarily setting SELinux to “Permissive” mode means that this mode will only be enabled for the current session, and as soon as you restart your system, SELinux will return to its default mode of operation, which is “Enforcing” mode. To temporarily install SELinux into “Permissive” mode, you need to run the following command on your CentOS 8 terminal:

$ sudo setenforce 0

By setting the “setenforce” flag to “0”, we are essentially changing its value to “Permissive” from “Enforcing”. Running this command will not display any output.

Now, to check if SELinux is set to “Permissive” mode on CentOS 8 or not, we run the following command in terminal:

$ getenforce

Executing this command will return the current SELinux mode and it will be “Permissive” as shown in the image below. However, as soon as you reboot your system, SELinux will return to forced execution mode.

Method to permanently install SELinux in Permissive mode on CentOS 8

In method # 1, we already indicated that following the above method will only temporarily set SELinux to Permissive mode. However, if you want these changes to be present even after a system restart, you will need to access the SELinux configuration file as follows:

$ sudo nano /etc/selinux/config

Now you need to set the “SELinux” variable to “permissive” as shown in the following image, after which you can save and close your file.

Now you need to check the SELinux status again to see if its mode has been changed to “Permissive” or not. You can do this by running the following command in your terminal:

$ sestatus

You can see from the highlighted part of the image below that right now only the mode from the config file has been changed to “Permissive”, while the current mode is still “Enforcing”.

Now, for our changes to take effect, we will restart our CentOS 8 system by running the following command in a terminal:

$ sudo shutdown –r now

After restarting the system, when you check the SELinux state again with the “sestatus” command, you will notice that the current mode has also been set to “Permissive”.

Conclusion:

In this article, we learned the difference between “Enforcing” and “Permissive” SELinux modes. We then shared with you two ways to set SELinux to “Permissive” mode on CentOS 8. The first method is to temporarily change the mode, and the second is to permanently change the mode to “Permissive”. You can use either of the two methods as per your requirement.

Sidebar