Which SELinux mode allows tracking of policy violations but does not enforce permissions?

The mode that allows tracking of policy violations without enforcing permissions is permissive mode. In this mode, SELinux does not enforce the security policies; instead, it only logs the actions that would have been denied if SELinux were in enforcing mode. This feature is particularly useful for debugging and testing policies because it lets administrators see what would happen if SELinux were to fully enforce the policies without actually blocking any access. This mode can help system administrators identify potential issues, tune policies, and confirm that everything works as intended before switching to enforcing mode, where SELinux would actively prevent unauthorized actions.

Enabling SELinux or setting it to enforcement mode means that the policies are enforced strictly, thus limiting actions based on the defined rules. Disabling SELinux completely turns off its security mechanisms, preventing all policy enforcement and tracking functionalities. Therefore, permissive mode is the optimal choice for monitoring policy violations without impacting system operation.