quick-docs/modules/ROOT/partialsdelete/2delete-proc_changing-to-enforcing-mode.adoc

// Module included in the following assemblies:
//
// changing-selinux-states-and-modes.adoc

[#{context}-changing-to-enforcing-mode]
= Changing to enforcing mode

Use the following procedure to switch SELinux to enforcing mode. When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.

.Prerequisites

* The `selinux-policy-targeted`, `libselinux-utils`, and `policycoreutils` packages are installed on your system. 

* The `selinux=0` or `enforcing=0` kernel parameters are not used.

.Procedure

. Open the `/etc/selinux/config` file in a text editor of your choice, for example:

----
# vi /etc/selinux/config
----

. Configure the `SELINUX=enforcing` option:

[subs="quotes"]
----
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=*enforcing*
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
----

. Save the change, and restart the system:
+
[subs="quotes"]
----
# reboot
----
+
On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled.

.Verification

. After the system restarts, confirm that the `getenforce` command returns `Enforcing`:

----
$ getenforce
Enforcing
----

[NOTE]
====
After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies, enter the following command as root:
[subs="quotes"]
----
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today
----
Alternatively, with the [package]`setroubleshoot-server` package installed, enter:
[subs="quotes"]
----
# grep "SELinux is preventing" /var/log/messages
----

Standard users can use the GUI `setroubleshoot` to file bugs directly to Bugzilla. 

If SELinux is active and the Audit daemon (auditd) is not running on your system, then search for certain SELinux messages in the output of the dmesg command:
----
# dmesg | grep -i -e type=1300 -e type=1400
----

If SELinux denies some actions, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux[Troubleshooting problems related to SELinux] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for information about troubleshooting.
====
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`// Module included in the following assemblies:`
			`//`
			`// changing-selinux-states-and-modes.adoc`

			`[#{context}-changing-to-enforcing-mode]`
			`= Changing to enforcing mode`

Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc 2022-03-04 01:02:36 +00:00			`Use the following procedure to switch SELinux to enforcing mode. When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00
			`.Prerequisites`

			* The `selinux-policy-targeted`, `libselinux-utils`, and `policycoreutils` packages are installed on your system.

			* The `selinux=0` or `enforcing=0` kernel parameters are not used.
SELinux states and modes added 2018-06-22 16:10:52 +00:00
Fix proc_disabling-selinux 2020-11-09 15:56:49 +00:00			`.Procedure`

Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			. Open the `/etc/selinux/config` file in a text editor of your choice, for example:

Fix proc_changing-to-enforcing-mode 2020-11-09 15:46:05 +00:00			`----`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`# vi /etc/selinux/config`
Fix proc_changing-to-enforcing-mode 2020-11-09 15:46:05 +00:00			`----`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			. Configure the `SELINUX=enforcing` option:

Fix quoting in SELinux code blocks Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 20:14:11 +00:00			`[subs="quotes"]`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
			`# This file controls the state of SELinux on the system.`
			`# SELINUX= can take one of these three values:`
			`# enforcing - SELinux security policy is enforced.`
			`# permissive - SELinux prints warnings instead of enforcing.`
			`# disabled - No SELinux policy is loaded.`
Fix quoting in SELinux code blocks Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 20:14:11 +00:00			`SELINUX=enforcing`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`# SELINUXTYPE= can take one of these two values:`
			`# targeted - Targeted processes are protected,`
			`# mls - Multi Level Security protection.`
			`SELINUXTYPE=targeted`
			`----`

Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`. Save the change, and restart the system:`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`+`
Fix proc_changing-to-enforcing-mode 2020-11-09 15:46:05 +00:00			`[subs="quotes"]`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`# reboot`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
			`+`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled.`

			`.Verification`

			. After the system restarts, confirm that the `getenforce` command returns `Enforcing`:

			`----`
			`$ getenforce`
			`Enforcing`
			`----`
SELinux states and modes added 2018-06-22 16:10:52 +00:00
			`[NOTE]`
			`====`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies, enter the following command as root:`
Fix proc_changing-to-enforcing-mode 2020-11-09 15:46:05 +00:00			`[subs="quotes"]`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			Alternatively, with the [package]`setroubleshoot-server` package installed, enter:
Fix proc_changing-to-enforcing-mode 2020-11-09 15:46:05 +00:00			`[subs="quotes"]`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`# grep "SELinux is preventing" /var/log/messages`
			`----`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc 2022-03-04 01:08:22 +00:00
			Standard users can use the GUI `setroubleshoot` to file bugs directly to Bugzilla.

Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`If SELinux is active and the Audit daemon (auditd) is not running on your system, then search for certain SELinux messages in the output of the dmesg command:`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
Update modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc Updated to match https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#enabling-selinux-on-systems-that-previously-had-it-disabled_changing-selinux-states-and-modes. Left some notes from the pre-fix doc that I was not sure to delete or not. 2022-02-11 02:31:47 +00:00			`# dmesg \| grep -i -e type=1300 -e type=1400`
			`----`

Fix proc_changing-to-enforcing-mode 2020-11-09 15:46:05 +00:00			`If SELinux denies some actions, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux[Troubleshooting problems related to SELinux] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index[RHEL 8 Using SELinux] document for information about troubleshooting.`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`====`