How to configure SELinux in enforcing mode on CentOS Stream 9

Enable SELinux in enforcing mode on CentOS Stream 9 to apply mandatory access controls immediately after installation. This procedure targets CentOS Stream 9, which ships with SELinux enabled in permissive mode by default. Follow these steps to switch the system to enforcing mode without disrupting existing services.

Prerequisites

• CentOS Stream 9 (x86_64 or aarch64) installed and updated.
• Root access via sudo or direct login as root.
• At least 50 MB of free disk space for temporary files if rebuilding contexts.
• Network connectivity to download packages if using a custom repo.

Step 1: Check current SELinux mode

Before changing the mode, confirm the current status. Run the following command to see whether SELinux is active and what mode it is in.

getenforce

You will see Permissive as output. This confirms the default state. Changing to Enforcing restricts processes to only allowed actions.

Step 2: Rebuild file contexts

Some systems ship with incomplete file context labels. Rebuilding them prevents permission errors after enabling enforcement. Run the following command to restore all file contexts from the /etc/selinux/config policy.

restorecon -Rv /

Expected output shows files being relabeled. If you see Relabeled /var/www/html: system_u:object_r:httpd_sys_content_t:s0, the process is working correctly.

Step 3: Set SELinux to enforcing mode

Apply the change immediately by setting the kernel parameter. Run this command as root to switch SELinux to enforcing mode.

setenforce 1

This command changes the runtime mode. The system logs the change in /var/log/audit/audit.log. Verify the change with getenforce to ensure it shows Enforcing.

Step 4: Make the change persistent

Reboots will revert the setting unless you configure it in the config file. Open the SELinux configuration file and set the default mode to enforcing.

vim /etc/selinux/config

Locate the line starting with SELINUX= and change it to:

SELINUX=enforcing

Save and close the file. This ensures the setting survives a reboot.

Step 5: Restart affected services

Some services may need a restart to adopt new security contexts. Restart Apache or Nginx if you have web servers running.

systemctl restart httpd

Or for Nginx:

systemctl restart nginx

Check service status with systemctl status httpd to confirm it is active and running.

Verify the installation

Run the following command to confirm SELinux is in enforcing mode and loaded correctly.

getenforce

Expected output:

Enforcing

Also check the policy version:

sestatus

The output should show SELinux status: enabled and Mode: enforcing.

Troubleshooting

Error: "Permission denied" after enabling enforcing
Run restorecon -Rv / again to ensure all contexts are correct. Missing contexts cause permission errors.

Error: "SELinux is preventing" in audit log
Check /var/log/audit/audit.log for denied actions. Use ausearch -m avc -ts recent to find recent denials. Generate a policy module with audit2allow and install it if needed.

Error: "Cannot set SELinux to enforcing"
Ensure the kernel parameter selinux=0 is not set in the bootloader. Edit /etc/default/grub and remove selinux=0 if present. Run grub2-mkconfig -o /boot/grub2/grub.cfg to update the bootloader.

Error: "SELinux policy not found"
Verify the selinux-policy package is installed. Run dnf reinstall selinux-policy to restore missing policy files.