Change to enforcing mode - Amazon Linux 2023

Change to enforcing mode

When you run SELinux in enforcing mode, the SELinux utility is enforcing the configured policy. SELinux governs the capabilities of select applications by allowing or denying access based on the policy’s rules.

To find the current SELinux mode, run the getenforce command.

getenforce Permissive

Edit config file to enable enforcing mode

To change the mode to enforcing, use the following steps.

  1. Edit the /etc/selinux/config file to change to enforcing mode. The SELINUX setting should look like the following example.

    SELINUX=enforcing
  2. Restart your system to complete the change to enforcing mode.

    $ sudo reboot

On the next boot, SELinux relabels all files and directories in the system. SELinux also adds the SELinux context for files and directories that were created when SELinux was disabled.

After changing to enforcing mode, SELinux might deny some actions because of incorrect or missing SELinux policy rules. You can view the actions that SELinux denies with the following command.

$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent

Use cloud-init to enable enforcing mode

As an alternative, when you launch your instance, pass the following cloud-config as user-data to enable enforcing mode.

#cloud-config selinux: mode: enforcing

By default, this setting causes the instance to reboot. For greater stability, we recommend rebooting your instance. However, if you prefer, you can skip the reboot by providing the following cloud-config.

#cloud-config selinux: mode: enforcing selinux_no_reboot: 1