Cisco Catalyst 8500 and 8500L Series Edge Platforms Software Configuration Guide

PDF

Security-Enhanced Linux

Updated: February 6, 2026

Want to summarize with AI?

Log in

Overview

Explains the mandatory access control architecture that protects system integrity on Cisco IOS XE platforms. Learn how this mechanism prevents tampering and limits damage from potentially malicious or flawed applications.

Security-Enhanced Linux (SELinux) is a solution that incorporates a strong, flexible Mandatory Access Control (MAC) architecture into Cisco IOS-XE platforms through a combination of a Linux kernel security module and system utilities.

SELinux provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements. This approach helps prevent tampering and bypassing of application security mechanisms while limiting damage from malicious or flawed applications.

Security-Enhanced Linux Modes

SELinux can operate either in Permissive mode or Enforcing mode when enabled on a system.

  • Permissive mode : SELinux does not enforce the policy and only generates system logs for any denials caused by policy violations. Operations are logged for resource access policy violations but not denied.

  • Enforcing mode : SELinux policy is enabled and enforced. It denies resource access based on the access policy rules, and generates system logs.

    SELinux is enabled in Enforcing mode by default on supported Cisco IOS XE platforms. In the Enforcing mode , any system resource access that does not have the necessary allow policy is treated as a violation, and the operation is denied. The violating operation fails when a denial occurs, and system logs are generated. In Enforcing mode , the solution works in access-violation prevention mode.

Prerequisites

There are no specific prerequisites for this feature.

Restrictions

There are no specific restrictions for this feature.

Configure Security-Enhanced Linux in EXEC Mode

Configuring SELinux in EXEC mode denies resource access based on the access policy rules, and generates system logs. Use this example to configure SELinux in EXEC mode:

Procedure

Command or Action Purpose

set platform software selinux {default | enforcing | permissive}

Configuring SELinux in EXEC mode denies resource access based on the access policy rules, and generates system logs.

Example

Device# set platform software selinux ?

default 	   Set SELinux mode to default
enforcing 	 Set SELinux mode to enforcing
permissive 	Set SELinux mode to permissive

Configure Security-Enhanced Linux in CONFIG Mode

Configuring SELinux in CONFIG mode means setting the policy to either enforcing or permissive state. Use this example to configure SELinux in CONFIG mode:

Use this example to configure SELinux in configuration mode:

Procedure

Command or Action Purpose

platform security selinux {enforcing | permissive}

Configuring SELinux in CONFIG mode means setting the policy to either enforcing or permissive state.

Example

Device(config)# platform security selinux

enforcing 	 Set SELinux policy to Enforcing mode
permissive 	Set SELinux policy to Permissive mode

Device(config)# platform security selinux permissive

Device(config)#
*Oct 20 21:52:45.155: %IOSXE-1-PLATFORM: R0/0:
SELINUX_MODE_PROG: Platform Selinux confinement mode downgraded to permissive!

Device(config)#

SYSLOG message reference

This section covers details about syslog messages for SELinux events.

Facility-Severity-Mnemonic

%SELINUX-1-VIOLATION

Severity-Meaning

Alert Level Log

Message

N/A

Message Explanation

Resource access was made by the process for which a resource access policy does not exist. The operation was flagged, and resource access was denied. A system log was generated with information that process resource access has been denied.

Component

SELINUX

Recommended Action

Contact Cisco TAC with the following relevant information as attachments:

  • The exact message as it appears on the console or in the system

  • Output of the show tech-support command (text file)

  • Archive of Btrace files from the box using the following command:

    request platform software trace archive target <URL>

  • Output of the show platform software selinux command

This example shows sample syslog messages:

Example 1:

*Nov 14 00:09:04.943: %SELINUX-1-VIOLATION: R0/0: audispd: type=AVC 
msg=audit(1699927057.934:129): avc: denied { getattr } for pid=5899 comm="ls" 
path="/root/test" dev="rootfs" ino=25839 
scontext=system_u:system_r:polaris_iosd_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0

Example 2:

*Nov 14 00:09:04.947: %SELINUX-1-VIOLATION: R0/0: audispd: t type=AVC 
msg=audit(1699927198.486:130): avc: denied { write } for pid=6012 comm="echo" 
path="/root/test" dev="rootfs" ino=25839 
scontext=system_u:system_r:polaris_iosd_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive= 0

Verify Security-Enhanced Linux enablement

Use the show platform software selinux command to view the SELinux configuration mode:

Device# show platform software selinux
=========================================
IOS-XE SELINUX STATUS
=========================================
SElinux Status :   	Enabled
Current Mode :     	Enforcing
Config file Mode : 	Enforcing

Troubleshoot Security-Enhanced Linux

If there is an instance of an SELinux violation on your device or network, please reach out to Cisco TAC with these details:

  • The message exactly as it appears on the console or in the system log. For example:

    device#request platform software trace archive target
    flash:selinux_btrace_logs

  • Output of the show tech-support command (text file)

  • Archive of Btrace files from the box using this command:

    request platform software trace archive target <URL>

  • Output of the show platform software selinux command