24.2.2 About SELinux Modes

SELinux runs in one of three modes.


The kernel uses only DAC rules for access control. SELinux does not enforce any security policy because no policy is loaded into the kernel.


The kernel denies access to users and programs unless permitted by SELinux security policy rules. All denial messages are logged as AVC (Access Vector Cache) denials. This is the default mode that enforces SELinux security policy.


The kernel does not enforce security policy rules but SELinux sends denial messages to a log file. This allows you to see what actions would have been denied if SELinux were running in enforcing mode. This mode is intended to used for diagnosing the behavior of SELinux.