quick-docs/modules/ROOT/pages/_partials/proc_changing-to-enforcing-mode.adoc

// Module included in the following assemblies:
//
// changing-selinux-states-and-modes.adoc

[#{context}-changing-to-enforcing-mode]
= Changing to enforcing mode

When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.

First check the current SELinux mode by running the [command]`getenforce` command. If it displays `Disabled`, then follow <<{context}-enabling-selinux>>. Otherwise, if it displays `Permissive`, follow the procedure below to change mode to enforcing again:

. Edit the `/etc/selinux/config` file as follows:
+
[subs="quotes"]
----
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=*enforcing*
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
----

. Reboot the system:
+
----
~]# reboot
----
+
On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled.

[NOTE]
====
After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies, enter the following command as root:
----
~]# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
----
Alternatively, with the [package]*setroubleshoot-server* package installed, enter the following command as root:
----
~]# grep "SELinux is preventing" /var/log/messages
----
If SELinux denies some actions, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-troubleshooting[Troubleshooting] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index[Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide] for information about troubleshooting.
====
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`// Module included in the following assemblies:`
			`//`
			`// changing-selinux-states-and-modes.adoc`

			`[#{context}-changing-to-enforcing-mode]`
			`= Changing to enforcing mode`

			`When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux.`

Clarify enabling/disabling procedures for SELinux * Simplify list of required packages (and add `grubby`). * Move Disabled -> Enforcing steps from `changing-to-enforcing-mode` to `enabling-selinux`. * In `changing-to-enforcing-mode`, use the correct procedure based on whether SELinux is currently Permissive or Disabled. * Add step for ensuring that filesystem is relabeled when re-enabling SELinux. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-30 13:47:18 +00:00			First check the current SELinux mode by running the [command]`getenforce` command. If it displays `Disabled`, then follow <<{context}-enabling-selinux>>. Otherwise, if it displays `Permissive`, follow the procedure below to change mode to enforcing again:
SELinux states and modes added 2018-06-22 16:10:52 +00:00
			. Edit the `/etc/selinux/config` file as follows:
			`+`
Fix quoting in SELinux code blocks Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 20:14:11 +00:00			`[subs="quotes"]`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`----`
			`# This file controls the state of SELinux on the system.`
			`# SELINUX= can take one of these three values:`
			`# enforcing - SELinux security policy is enforced.`
			`# permissive - SELinux prints warnings instead of enforcing.`
			`# disabled - No SELinux policy is loaded.`
Fix quoting in SELinux code blocks Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> 2020-10-29 20:14:11 +00:00			`SELINUX=enforcing`
SELinux states and modes added 2018-06-22 16:10:52 +00:00			`# SELINUXTYPE= can take one of these two values:`
			`# targeted - Targeted processes are protected,`
			`# mls - Multi Level Security protection.`
			`SELINUXTYPE=targeted`
			`----`

			`. Reboot the system:`
			`+`
			`----`
			`~]# reboot`
			`----`
			`+`
			`On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled.`

			`[NOTE]`
			`====`
			`After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies, enter the following command as root:`
			`----`
			`~]# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today`
			`----`
			`Alternatively, with the [package]setroubleshoot-server package installed, enter the following command as root:`
			`----`
			`~]# grep "SELinux is preventing" /var/log/messages`
			`----`
			`If SELinux denies some actions, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-troubleshooting[Troubleshooting] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index[Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide] for information about troubleshooting.`
			`====`