Quick, safe steps to change SELinux from enforcing to permissive at runtime and persistently. 05.02.2026 | reading time: 2 min SELinux controls access at a system level; sometimes an admin needs to flip enforcing to permissive to diagnose denials or to toggle enforcement for service deployment, and this guide shows the exact commands to check, change and persist the mode. Quick demo Hands-on: check current mode, switch to permissive at runtime and make the change persistent as shown below: ```bash $ getenforce Enforcing $ sudo setenforce 0 $ getenforce Permissive $ sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config $ grep ^SELINUX /etc/selinux/config SELINUX=permissive ``` Verify and revert Confirm status with `getenforce` or `sestatus`; to return immediately to enforcing run `sudo setenforce 1`; remember `setenforce` changes only the runtime state and requires root, and it will not work if SELinux is disabled at boot. When permissive helps Use permissive to reproduce access denials while allowing operations to continue, collect audit messages, then translate denials into corrective actions with tools that generate targeted policy changes rather than disabling protection completely. Practical fixes after switching Common follow-ups include relabeling files with `restorecon -Rv` or adding file contexts with `semanage fcontext -a -t TYPE 'path'` and making boolean changes persistent with `setsebool -P name on` so the system behaves as intended under enforcing mode. Final thought Changing the SELinux enforcing mode is a controlled, reversible step for troubleshooting or deployment; practice these commands on a lab host and deepen skill with formal courses like CompTIA Linux+ or LPIC-1 prep at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security utilities troubleshooting
