Basics of SELinux in Linux

Basics of SElinux

What is SELinux?

SELinux is a set of security policies/modules which are going to apply on the machine to improve the overall security of the machine. These are the Linux security modules(LSM) which are loaded in to kernel to improve security on accessing services/files which improve security. SELinux is short form of Security Enhanced Linux. SElinux is a security feature which was shipped with RHEL5, it is much secure than any other security such as PAM and Initd. Apparmor is some times consider as eloquent to SELinux. Below is the security model in Linux.

Setting of SELinux

SELinux is set in three modes.

  • Enforcing – SELinux security policy is enforced. IF this is set SELinux is enabled and will try to enforce the SELinux policies strictly
  • Permissive – SELinux prints warnings instead of enforcing. This setting will just give warning when any SELinux policy setting is breached
  • Disabled – No SELinux policy is loaded. This will totally disable SELinux policies.


And SELinux is set in two levels

  • Targeted – Targeted processes are protected,
  • Mls – Multi Level Security protection.

Get SELinux Status

Example1:Is SELinux enabled or not on your box? use below command to get the status.


The output will be either “Enabled” or “Disabled”
Example2: To see SELinux status in simplified way you can use sestatus


Sample output:
SElinux status : enabled
SELinux mount : /selinux
Current mode : enforcing
Mode from config file : enforcing
Policy version : 21
Policy from config file : targeted

From the above output we can see that SElinux is enabled and it is in enforced mode.
and to see detailed status you can use -b option, this will give on which services SElinux is enabled and which services are disabled.

Example3:To get elobrated info on difference status of SELinux on different services use -b option along sestatus

#sestatus -b

Sample output:

[[email protected] ~]# sestatus -b
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

Policy booleans:
abrt_anon_write off
allow_console_login on
allow_corosync_rw_tmpfs off
allow_cvs_read_shadow off
allow_daemons_dump_core on
allow_daemons_use_tty on
allow_domain_fd_use on
allow_execheap off
allow_execmem on
allow_execmod on
allow_execstack on
allow_ftpd_anon_write off

==Cliped the output here==

Disabling SELinux

Example4:How to disable SElinux

We can do it in two ways
1)Permanent way : edit /etc/selinux/config

change the status of SELINUX from enforcing to disabled




Save the file and exit.

2)Temporary way : Execute below command

echo 0 > /selinux/enforce


setenforce 0

Enabling SELinux

Example5:How about enabling SELinux

1)Permanent way : edit /etc/selinux/config

change the status of SELINUX from disabled to enforcing




Save the file and exit.

2)Temporary way : Execute below command

echo 1 > /selinux/enforce


setenforce 1

Comment your thoughts on SELinux.
The following two tabs change content below.
Mr Surendra Anne is from Vijayawada, Andhra Pradesh, India. He is a Linux/Open source supporter who believes in Hard work, A down to earth person, Likes to share knowledge with others, Loves dogs, Likes photography. He works as Devops Engineer with Taggle systems, an IOT automatic water metering company, Sydney . You can contact him at surendra (@) linuxnix dot com.
  • gouthamk10

    good post.


  • Premnath


  • djangofan

    What you don’t mention is that there is a nice GUI tool called “SELinux Management” that can be found in the standard software repository. For beginners, its much more educational since it shows all the possibilities right up front.

  • Pingback: Many howto’s related to Linux file and folder permissions | The Linux Juggernaut()

  • Pingback: Basics of SELinux in Linux a Linux user should know | Thelinuxgeek()

  • john

    after changing selinux = disabled , how to effect changes to system , if system is restart ? or any command is ther.

    • Surendra Anne

      you have to do above echo command as shown in post to update selinux status so that there is no reboot is required.