How to Enable SELinux Permissive Mode Without Reboot When Disabled: Troubleshooting Guide


4 views 
[root@server3 ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled

The error "setenforce: SELinux is disabled" indicates that SELinux isn't just in disabled mode - the entire security subsystem is not loaded into the kernel. When SELinux is truly disabled in the config file, you can't toggle modes dynamically because the kernel security hooks aren't active.

First, confirm the actual state with these commands:

# Check current runtime status
sestatus

# Alternative check
cat /sys/fs/selinux/enforce

If you see "SELinux status: disabled" in sestatus output, you need to reactivate the subsystem before changing modes.

Here's the proper sequence to switch to permissive mode without rebooting:

# 1. Temporarily enable SELinux (loads kernel modules)
echo 1 > /sys/fs/selinux/enable

# 2. Set permissive mode
echo 0 > /sys/fs/selinux/enforce

# 3. Verify change
getenforce

To make these changes permanent and survive reboots:

# Edit the config file
sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config

# For RHEL/CentOS 7+ systems using grubby
grubby --update-kernel=ALL --args="selinux=1 enforcing=0"

If you encounter issues after enabling SELinux:

# Check for AVC denials
ausearch -m avc -ts recent

# Generate proper file contexts
fixfiles -F onboot

When working with production systems:
• Always test in permissive mode first
• Monitor /var/log/audit/audit.log
• Consider using semanage for custom policies
• Schedule the change during maintenance windows

When you see getenforce returning "Disabled", it means SELinux isn't just in permissive mode - it's completely turned off at kernel level. This explains why setenforce commands fail with the "SELinux is disabled" message.

# Check current SELinux status
getenforce
# Expected output when disabled: "Disabled"

The setenforce utility can only toggle between enforcing and permissive modes when SELinux is active. When the system boots with SELinux disabled in kernel parameters or the policy isn't loaded, setenforce becomes non-functional.

Here's how to simulate permissive behavior even when SELinux is disabled:

# Method 1: Using sysctl (if SELinux was compiled in but not enabled)
echo 0 > /sys/fs/selinux/enforce

# Method 2: Through kernel message filtering (advanced)
dmesg -n 1

For a production server, consider properly re-enabling SELinux instead of keeping it disabled:

# Edit the SELinux config file
vi /etc/selinux/config
# Change to: SELINUX=permissive

# Create the autorelabel file
touch /.autorelabel

# Schedule a reboot (unavoidable for full functionality)

After attempting the workarounds:

# Check if any SELinux denials are still logged
ausearch -m avc -ts recent

# Verify kernel messages
dmesg | grep -i selinux
  • Temporary methods won't load security policies
  • Some applications may still behave differently
  • For full functionality, reboot is ultimately required