Default SELinux status and modes for AL2023

For AL2023, SELinux by default is enabled and set to permissive mode. In permissive mode, permission denials are logged but not enforced.

The getenforce or sestatus commands tell you the current SELinux status, policy, and mode.

With the default status set to enabled and permissive, the getenforce command returns permissive.

The sestatus command returns the SELinux status and the current SELinux policy as shown in the following example:


$ sestatus
SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             targeted
  Current mode:                   permissive
  Mode from config file:          permissive
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     actual (secure)
  Max kernel policy version:      33

When you run SELinux in permissive mode, users might label files incorrectly. When you run SELinux in the disabled status, files aren't labeled. Both incorrect or unlabeled files can cause problems when you change to enforcing mode.

SELinux automatically relabels files to avoid this problem. SELinux prevents labeling problems with automatic relabeling when you change the status to enabled.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setting SELinux modes for AL2023

Change to enforcing mode