How to configure SELinux in permissive mode on CentOS Stream 9
Switch SELinux from enforcing to permissive mode on CentOS Stream 9 using the setenforce command or by editing the configuration file.
Set SELinux to permissive mode on CentOS Stream 9 to allow applications to run without blocking operations while still logging violations. These steps target CentOS Stream 9 with the default SELinux policy and require root privileges. You will modify the runtime state and the persistent configuration file.
Prerequisites
- CentOS Stream 9 installed with SELinux enabled.
- Root access via
suorsudo. - A terminal or SSH session with a text editor like
viornano.
Step 1: Check the current SELinux status
Confirm the current mode before making changes. This ensures you understand the starting state and validates that SELinux is active.
getenforceYou will see Enforcing if the system is blocking actions. If the output is Permissive, you are already in the target mode.
EnforcingStep 2: Switch SELinux to permissive mode temporarily
Apply the change immediately to the running system. This allows you to test services without rebooting. The setting resets after a restart, so you must also edit the configuration file in the next step.
setenforce 0The command returns no output on success. Run getenforce again to confirm the change.
PermissiveStep 3: Edit the SELinux configuration file
Make the permissive setting persistent across reboots. Open the main configuration file using your preferred text editor.
vi /etc/selinux/configLocate the line starting with SELINUX=. Change the value from enforcing to permissive. Save and exit the editor.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissiveDo not comment out the line. Keep the assignment active so the system reads the correct mode on boot.
Step 4: Verify the configuration file change
Reload the configuration without rebooting to apply the new setting immediately. This ensures the system uses the file setting right away.
setenforce 0Then check the status again to confirm the file change took effect.
getenforceExpected output:
PermissiveStep 5: Reboot the system (optional but recommended)
Reboot to ensure the kernel loads the permissive policy from the configuration file. This step is critical if you want the setting to survive a restart.
rebootAfter the system boots, run the verification command again.
getenforceExpected output:
PermissiveVerify the installation
Run the following command to confirm the system is in permissive mode and that the setting is persistent.
getenforceExpected output:
PermissiveAlso check the SELinux status details to ensure no errors are present.
sestatusLook for SELinux status: enabled and Current mode: permissive in the output.
Troubleshooting
If setenforce 0 fails, check for typos in the command. Ensure you are running it as root.
bash: setenforce: command not foundThis error indicates SELinux is not installed or not loaded. Reinstall the policy package:
dnf install policycoreutils-pythonIf the configuration file change is ignored, verify the file syntax. A missing newline at the end of the file can cause issues.
SELINUX=permissiveAdd a newline at the end of the file if missing. Also ensure no other lines override the setting in /etc/selinux/config.
If the system reverts to Enforcing after reboot, check for SELINUX=disabled in /etc/selinux/config. Ensure the value is exactly permissive with no extra spaces.
If you need to restore the enforcing mode, run setenforce 1 and set SELINUX=enforcing in the config file.