1.7.1.5 Ensure the SELinux mode is enforcing - getenforce

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

SELinux can run in one of three modes: disabled, permissive, or enforcing:

Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.

Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development.

Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future

Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive:

# semanage permissive -a httpd_t

Rationale:

Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations.

Solution

Run the following command to set SELinux's running mode:

# setenforce 1

Edit the /etc/selinux/config file to set the SELINUX parameter:
For Enforcing mode:

SELINUX=enforcing

See Also

https://workbench.cisecurity.org/files/2851

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(3), CSCv6|14.4

Plugin: Unix

Control ID: ed32fb5b9781ffd013d2a6edcf03b08319398430ee691403678f703811d98d0b