HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
security_getenforce(3) SELinux API documentationsecurity_getenforce(3)security_getenforce, security_setenforce, security_deny_unknown, security_reject_unknown, security_get_checkreqprot - get or set the enforcing state of SELinux
#include <selinux/selinux.h>int security_getenforce(void);int security_setenforce(intvalue);int security_deny_unknown(void);int security_reject_unknown(void);int security_get_checkreqprot(void);
security_getenforce() returns 0 if SELinux is running in permissive mode, 1 if it is running in enforcing mode, and -1 on error.security_setenforce() sets SELinux to enforcing mode if the value 1 is passed in, and sets it to permissive mode if 0 is passed in. On success 0 is returned, on error -1 is returned.security_deny_unknown() returns 0 if SELinux treats policy queries on undefined object classes or permissions as being allowed, 1 if such queries are denied, and -1 on error.security_reject_unknown() returns 1 if the current policy was built with handle-unknown=reject and SELinux would reject loading it, if it did not define all kernel object classes and permissions. In this state, whenselinux_set_mapping()andselinux_check_access()are used with an undefined userspace class or permission, an error is returned and errno is set to EINVAL. It returns 0 if the current policy was built with handle- unknown=allow or handle-unknown=deny. In this state, policy queries are treated according tosecurity_deny_unknown().-1 is returned on error.security_get_checkreqprot() can be used to determine whether SELinux is configured to check the protection requested by the application or the actual protection that will be applied by the kernel (including the effects of READ_IMPLIES_EXEC) on mmap and mprotect calls. It returns 0 if SELinux checks the actual protection, 1 if it checks the requested protection, and -1 on error.
selinux(8)
This page is part of theselinux (Security-Enhanced Linux user- space libraries and tools) project. Information about the project can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you have a bug report for this manual page, see ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This page was obtained from the project's upstream Git repository ⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At that time, the date of the most recent commit that was found in the repository was 2025-08-04.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgrussell@coker.com.au 1 January 2004security_getenforce(3)Pages that refer to this page:security_disable(3), security_load_policy(3), selinux_status_open(3)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |