How to check and interpret SELinux status

Topic: Servers linux

Check whether SELinux is enabled and in enforcing or permissive mode with getenforce and sestatus; read denials in the audit log or ausearch. Use this when access is denied and permissions look correct, or when hardening or debugging a RHEL/CentOS/Fedora system.

Intent: How-to

Quick answer

  • getenforce shows Enforcing, Permissive, or Disabled. sestatus shows policy type, mode, and context. If Enforcing, SELinux is blocking disallowed access; denials are in the audit log.
  • Search denials: ausearch -m avc -ts recent or grep avc /var/log/audit/audit.log. The avc message shows what was denied (source context, target, permission). Fix by changing context, policy, or boolean.
  • Temporarily set permissive: setenforce 0 (setenforce 1 to re-enforce). Do not disable SELinux long-term; fix the policy or context. On non-SELinux distros (Debian/Ubuntu) check AppArmor instead.

Prerequisites

Steps

  1. Check status and mode

    getenforce; sestatus. If Disabled, SELinux is off. If Permissive, it logs but does not deny. If Enforcing, denials block access and are logged.

  2. Find denials

    ausearch -m avc -ts recent or grep avc /var/log/audit/audit.log. Interpret the scontext (source), tcontext (target), and permission. Common fix: restorecon -Rv /path, or setsebool, or add a policy module.

  3. Temporarily set permissive

    setenforce 0 to go permissive (logs only); reproduce the failure; check audit again; then fix context or policy and setenforce 1. Avoid disabling SELinux in /etc/selinux/config unless you understand the risk.

Summary

Check SELinux with getenforce and sestatus; find denials in the audit log with ausearch or grep. Fix by correcting context, policy, or boolean; use setenforce 0 only temporarily to diagnose. Use this when permissions look right but access is still denied on RHEL/CentOS/Fedora.

Prerequisites

Steps

Step 1: Check status and mode

getenforce
sestatus

Step 2: Find denials

ausearch -m avc -ts recent

Interpret scontext, tcontext, and permission; fix with restorecon, setsebool, or a policy module.

Step 3: Temporarily set permissive

Use setenforce 0 to reproduce and gather denials; fix the cause then setenforce 1. Do not disable in config unless required.

Verification

  • You know whether SELinux is enforcing and what was denied; after the fix, the operation succeeds and no new denial is logged.

Troubleshooting

No getenforce — Distro may use AppArmor; check aa-status. Many denials — Fix the most recent or frequent; restorecon often fixes file context issues. Service won’t start — Check service-specific SELinux policy or type.

Next steps

Continue to