← Rules Catalog
highsystemverified

Ensure the SELinux mode is not disabled

selinux-not-disabled · RHEL ≥ 8 · 1 impl

Description

SELinux must be set to enforcing or permissive mode. The SELinux mode must not be set to disabled in /etc/selinux/config.

Rationale

A system in SELinux disabled mode does not have any mandatory access controls active. This significantly reduces security protections and should never be configured on production systems.

Check → Remediate

Checkcommand
grep -E '^SELINUX=disabled' /etc/selinux/config 2>/dev/null | head -1
expected_exit:
0
Remediatemanual
note:
Edit /etc/selinux/config and set SELINUX=enforcing or SELINUX=permissive. A system reboot is required to change SELinux mode from disabled.

Framework references

CIS

rhel9 1.3.1.4rhel10 1.3.1.4rhel8 1.3.1.4

NIST 800-53

AC-3AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#selinux#security#access-control