Rate this page

Determine whether SELinux is enabled

Tested on

Debian (Lenny, Squeeze)


SELinux (Security Enhanced Linux) is a mandatory access control framework that can be used to harden Linux-based systems against internal and external attack. It can, for example, be used to specify which parts of the filesystem are accessible to a daemon such as an HTTP server, so that if an attacker gains control of the daemon then the potential for further harm is limited.

For this to work, SELinux must be configured with a security policy that is well-matched to the legitimate needs of the programs running on the system in question. An over-restrictive policy will cause programs to fail, often without any obvious indication that SELinux is the culprit. For this reason, when attempting to troubleshoot an unfamiliar system it is advisable to check whether SELinux is enabled at an early stage in order to avoid wasted effort.


One way to determine whether SELinux is enabled is by means the getenforce command:


There are three possible results:


indicates that SELinux is installed but inactive. It should have no positive or negative effect on the operation of the system while in this mode.


indicates that SELinux is active, but will only monitor violations of the security policy and not intervene to prevent them. You may observe some additional log messages while in this mode, and the bootstrap process will be lengthened if it is necessary to relabel the filesystem, but otherwise it should have little or no impact on the behaviour of the system. This mode would normally be used to facilitate the initial configuration of SELinux, however there is no reason why it could not be left this way if the objective is auditing rather than hardening.


indicates that SELinux is active and configured to prevent violations of the security policy. This is the mode used to harden a system once the initial configuration has been completed. As such, it will cause programs to fail if the security policy is too restrictive.


Using the sestatus command

It is possible to obtain the same information and more using the sestatus command:


Using this method, the status of SELinux (whether it is enabled or disabled) is reported separately from its mode (permissive or enforcing):

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Tags: selinux