Change SELinux Policy Mode

Cockpit administrators can choose to use SELInux page in the web console to change the way SELinux runs at boot by changing its policy mode. The SELinux policy mode, by default, is set to enforcing.

What Do You Need?

The Cockpit web console must be installed and accessible.
For details, see these topics: Install and Enable Cockpit and Log in to the Cockpit Web Console.
Administrator privileges.

Steps

Using the Cockpit web console, follow these steps to change the SELinux Policy mode on the local host.

In the Cockpit navigation pane, click SELinux.
The SELinux page appears.
In the SELinux page, click the SELinux Policy mode toggle button to switch the mode (Enforcing (default) | Permissive.)

Important:
Cockpit enables you to switch the SELinux policy mode between enforcing and permissive. Enforcing mode is the default, and the recommended mode. Permissive mode doesn't deny operations based on SELinux security policy. Permissive mode can be helpful for SELinux policy development or debugging purposes).

WARNING:

When systems run SELinux in permissive mode, users and processes might label various file-system objects incorrectly. File-system objects created while SELinux is disabled aren't labeled at all. This behavior causes problems when changing to enforcing mode because SELinux relies on correct labels of file-system objects.

To prevent incorrectly labeled and unlabeled files from causing problems, SELinux automatically relabels file systems when changing from the disabled state to permissive or enforcing mode. Use the sudo fixfiles -F onboot command to create the /.autorelabel file containing the -F option to ensure that files are relabeled upon next reboot.

Before rebooting the system for relabeling, ensure the system boots in permissive mode, for example by using the enforcing=0 kernel option. This setting prevents the system from failing to boot in case the system contains unlabeled files required by systemd before starting the selinux-autorelabel service.