highsystemverified ✓
Ensure the SELinux mode is not disabled
selinux-not-disabled · RHEL ≥ 8 · 1 impl
Description
SELinux must be set to enforcing or permissive mode. The SELinux mode must not be set to disabled in /etc/selinux/config.
Rationale
A system in SELinux disabled mode does not have any mandatory access controls active. This significantly reduces security protections and should never be configured on production systems.
Check → Remediate
Checkcommand
grep -E '^SELINUX=disabled' /etc/selinux/config 2>/dev/null | head -1
- expected_exit:
- 0
Remediatemanual
- note:
- Edit /etc/selinux/config and set SELINUX=enforcing or SELINUX=permissive. A system reboot is required to change SELinux mode from disabled.
Framework references
CIS
rhel9 1.3.1.4rhel10 1.3.1.4rhel8 1.3.1.4
NIST 800-53
AC-3AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#selinux#security#access-control