How To Enable SELinux In CentOS/RHEL 7?


Security is a primary concern for any system administrator. SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) security mechanism that provides an additional layer of security to the Linux kernel.

By default, SELinux is enabled in CentOS/RHEL 7, but it runs in permissive mode, which means it does not block the system activities but only logs them. In this article, we will learn how to enable SELinux in CentOS/RHEL 7.

Importance of enabling SELinux in CentOS/RHEL 7

Enabling SELinux provides better protection for your server from attacks and unauthorized access. It adds an extra layer of defense against different types of malicious activity such as denial-of-service (DoS) attacks or privilege escalation attempts. Disabling SElinux may make some applications run smoother because they don't have to work with additional restrictions imposed by SELinux policies and rules.

What is SELinux?

SELinux is a security module for the Linux kernel that provides mandatory access control via policy enforcement. It was developed by NSA in partnership with Red Hat as an additional layer of protection on top of traditional Unix-style discretionary access control. By enforcing policies that restrict the actions that can be performed by processes and users, SELinux helps mitigate the risks associated with malicious software or unauthorized activities.

How does it work?

SELinux works by enforcing policies that govern what actions can be performed by processes and users on the system based on predefined labels assigned to resources such as files, directories, sockets, devices, etc. These labels are used to define contexts within which processes operate, allowing for fine-grained control over what resources they can access and what actions they can perform. The SELinux policy defines rules for how these contexts interact with each other based on their labels. In order to enforce these policies, SELinux uses a combination of kernel-level controls such as system calls restrictions and file permission checks in conjunction with user-space tools such as setroubleshootd or auditd.

Benefits of using SELinux:

  • Better security − By implementing mandatory access controls at both kernel-level and user-level, selinux provides a higher level of security compared to traditional discretionary access controls.

  • Ability to restrict processes − Processes can be restricted to access only specific resources on the system, which reduces the risk of unauthorized access or manipulation by malicious software.

  • Improved auditing and accountability − Selinux generates detailed log entries that can be used to identify and track suspicious activities on the system, providing better visibility and accountability compared to traditional discretionary access controls.

Checking the Current Status of SELinux

Checking the current status of SELinux is a crucial step before enabling it on your system. This step ensures that the system does not have any pre-existing issues with SELinux, which can cause problems during the enablement process. One way to check the current status of SELinux is by using the getenforce command.

Using the getenforce command

The getenforce command is a built-in tool in CentOS/RHEL 7 that displays the current mode of operation for SELinux. To use it, open a terminal window and enter "getenforce" followed by pressing enter.

The command will then display one of three possible outputs −

  • Enforcing − This means that SELinux is running in enforcing mode, which prevents any unauthorized access to files and processes on your system.

  • Permissive −This means that SELinux is running in permissive mode, which allows unauthorized access but logs any violations.

  • Disabled − This means that SELinux is not currently enabled on your system.

Enabling SELinux in CentOS/RHEL 7

Editing the /etc/selinux/config file

To enable SELinux in CentOS/RHEL 7, you need to edit the /etc/selinux/config file. To do this, you can use any text editor of your choice.

In this example, we will use the vi editor. Open the terminal and type the following command −

sudo vi /etc/selinux/config 

This will open the config file in the vi editor.

You will see something like this −

# This file controls the state of SELinux on the system. 
# SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. 
# permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. 

As you can see, there are three possible values that SELINUX can take: enforcing, permissive or disabled.

The current value is set to enforcing, which means that SELinux is already enabled. However, if it is not enabled on your system, you need to change this value.

Changing the value of SELINUX to enforcing

To enable SELinux and make sure that it stays enabled even after a reboot, you need to change the value of SELINUX to enforcing. In order to do so, move your cursor over `enforcing` and press `i` (insert) key on your keyboard.

This will put vi into insert mode allowing you to edit text within a file. Now delete whatever value (enforcing/permissive/disabled) was there before and then type `enforcing`.

Now save your changes and exit from the vi editor by pressing `ESC` followed by `:wq` and then hit Enter.

Verifying that SELinux is Enabled and Running

Once you have successfully enabled SELinux on your CentOS/RHEL 7 system, you will need to verify that it is running properly. One way to check the status of SELinux is by using the 'getenforce' command.

This command displays the current status of SELinux on your system – whether it is enforcing or permissive. To use the 'getenforce' command, simply open up a new terminal window and type in 'getenforce'.

The output will be one of three possible values: enforcing, permissive, or disabled. If you see 'enforcing', then SELinux is actively enforcing policies on your system.

If you see 'permissive', then SELinux is still running but not actively enforcing policies – it will only log violations instead of blocking them. If you see 'disabled', then SELinux is not running at all.

Using getenforce Command Again to Check Status Change

It's important to note that changing the value of SELINUX in /etc/selinux/config file requires a reboot for changes to take effect. After rebooting your server and logging back in, run the getenforce command again to ensure that changes were applied correctly. If you're still seeing "permissive" as your output after making configuration changes and rebooting according to step 4 above, this might indicate a problem with one or more services on your CentOS/RHEL 7 server not being configured correctly with SElinux policies.

Verifying That All Services Are Running Properly

After verifying that SELinux is set to "enforcing," make sure all services are running properly by checking logs or using command line tools such as systemctl. Pay attention to any alerts or error messages related to SElinux policies which might indicate additional steps needed for each particular service. It's important that all services on your CentOS/RHEL 7 system are configured with SElinux policies.

If any service is not properly configured, it may not operate correctly and may even cause security vulnerabilities on your system. Therefore, it's necessary to check that each service is running smoothly and that its configuration file has been updated with SELinux policies.


Selinux comes installed with CentOS/RHEL 7 by default, but it may not be enabled out-of-the-box. It adds an extra layer of protection against various types of attacks that are prevalent today.

Enabling selinux ensures strong isolation between applications and services that are running on a server. There are several conveniences offered by selinux such as role-based access control (RBAC), mandatory access control (MAC), process separation, etc.

Updated on: 08-Jun-2023


Kickstart Your Career

Get certified by completing the course

Get Started