Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced. However, this is problematic if only one application or service is being deployed to a system that is already up and running in production. Running in permissive mode is effectively disabling SELinux. This is where permissive domains are useful. Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.
There are two ways to make a domain permissive. If you are writing a policy for your myapp_t domain, simply add the following statement to its .te file and rebuild the policy:
As long as this statement is compiled into the policy, the myapp_t domain will run in permissive mode. Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.
Alternatively, the semanage program can set the myapp_t domain permissive:
# semanage permissive -a myapp_t
And to remove it from permissive domain mode, use the following semanage command:
# semanage permissive -d myapp_t