Default SELinux status and modes for AL2023 - Amazon Linux 2023
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Default SELinux status and modes for AL2023

For AL2023, SELinux by default is enabled and set to permissive mode. In permissive mode, permission denials are logged but not enforced.

The getenforce or sestatus commands tell you the current SELinux status, policy, and mode.

With the default status set to enabled and permissive, the getenforce command returns permissive.

The sestatus command returns the SELinux status and the current SELinux policy as shown in the following example:

$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33

When you run SELinux in permissive mode, users might label files incorrectly. When you run SELinux in the disabled status, files aren't labeled. Both incorrect or unlabeled files can cause problems when you change to enforcing mode.

SELinux automatically relabels files to avoid this problem. SELinux prevents labeling problems with automatic relabeling when you change the status to enabled.