These options change some fundamental aspects of SELinux startup.
Set the initial checkreqprot flag value.
checkreqprot=[0|1]
Set the initial checkreqprot flag value. 0 means that the check protection will be applied by the kernel and will include any implied execute protection. 1 means that the check protection is requested by the application. The default value is set by a kernel configuration option.
The value can be changed at runtime via the /selinux/checkreqprot file.
Set the initial enforcing status.
enforcing=[0|1]
Specify whether SELinux enforces its rules upon boot. 0 means that SELinux will just log policy violations but will not deny access to anything. 1 means that the enforcement will be fully enabled with denials as well as logging. The default value is 0.
The value can be changed at runtime via the /selinux/enforce file.
Enable or disable SELinux at boot time.
selinux=[0|1]
This option allows SELinux to be enabled (1) or disabled (0) to boot time. The default value is set by a kernel configuration option.
If SELinux is enabled at boot time, the /selinux/disable file can be used later to disable it prior to the initial policy load.
Set the network control model.
selinux_compat_net=[0|1]
Set the initial value for the SELinux network control model. 0 uses the new secmark-based packet controls, and 1 uses the legacy packet controls. 0 is the default and preferred value.
This value can be changed at runtime via the /selinux/compat_net file.