SELinux Modes
SELinux runs in one of three modes (or states).
Enforcing
This is the default state that enforces SELinux security policy. Access is denied to users and programs unless permitted by SELinux security policy rules. All denial messages are logged as AVC (Access Vector Cache) Denials.
Permissive
This is a diagnostic state. The security policy rules are not enforced, but SELinux sends denial messages to a log file. This allows you to see what would have been denied if SELinux were running in enforcing mode.
Disabled
SELinux does not enforce a security policy because no policy is loaded in the kernel. Only DAC rules are used for access control.
Setting SELinux Modes
There are multiple ways of setting the SELinux mode. One way is to select the mode from the Status view in the SELinux GUI. You can also edit the main configuration file for SELinux, /etc/selinux/config. Set the mode by changing the SELINUX directive in this file. For example, to set the mode to enforcing:
# vim /etc/selinux/config SELINUX=enforcing
The setenforce command is used to change between enforcing and permissive modes. Changes made with this command do not persist across reboots. To change to enforcing mode:
# setenforce 1
To change to permissive mode:
# setenforce 0
Display SELinux Mode
Use the getenforce command to view the current SELinux mode:
# getenforce Enforcing
How to Disable or set SELinux to Permissive mode
How to Check whether SELinux is Enabled or Disabled
How to enable/disable SELinux Modes in RHEL/CentOS
Understanding SELinux Policies in Linux