Linux

3 SELinux sestatus Command Output Explained with Examples

[ad_1]

sestatus stands for SELinux status.

This command is used to view the current status of the SELinux that is running on your system.

This tutorial explains the following:

  1. sestatus Command Output Explained with Details
  2. Display Selected Objects Security Context in sestatus
  3. Display Boolean Values in sestatus

1. sestatus Command Output Explained

sestatus command will display whether SELinux is enabled or disable. This will also display additional information about some of the SELinux settings which are explained here.

The following is the sestatus command on CentOS 7 system. On the older version of CentOS / RedHat this output will be slightly different.

Note: In the above output, “current mode” is the most important line that you should pay attention to, which is explained below.

SELinux status: This indicates whether SELinux module itself is enabled or disabled on your system. Keep in mind that even though this may say enabled, but SELinux might still be not technically enabled (enforced), which is really indicated by the “current mode” line explained below.

SELinuxfs mount: This is the SELinux temporary filesystem mount point. This is internally used by SELinux. This is what you’ll if you try do an ls on this SELinux filesystem. For our practical purpose, we can’t manipulate anything in this directory, as this is internally managed by SELinux.

SELinux root directory: This is where all the SELinux configuration files are located. By default, you’ll see the following files and directories. This directory contains all the configuration files necessary for SELinux operation. You can modify these files.

Loaded policy name: This will indicate what type of SELinux policy is currently loaded. In pretty much all common situations, you’ll see “targeted” as the SELinux policy, as that is the default policy. The following are the possible SELinux policy available:

  • targeted – This means that only targeted processes are protected by SELinux
  • minimum – This is a slight modification of targeted policy. Only few selected processes are protected in this case.
  • mls – This is for Multi Level Security protection. MLS is pretty complex and pretty much not used in most situations.

Current mode: This indicates whether SELinux is currently enforcing the policies or not. In other words, technically this will tell you whether SELinux is currently enabled and running on your system or not.

The following are the possible SELinux modes:

  • enforcing – This indicates that SELinux security policy is enforced (i.e SELinux is enabled)
  • permissive – This indicates that SELinux prints warnings instead of enforcing. This is helpful during debugging purpose when you want to know what would SELinux potentially block (without really blocking it) by looking at the SELinux logs.
  • disabled – No SELinux policy is loaded.

For our practical purpose, enforcing is equal to enabled. permissive and disabled is equal to disabled.

Policy MLS status indicates the current status of MLS policy. By default this will be enabled.

Policy deny_unknown status indicates the current status of the deny_unknown flag in our policy. By default this will be set to allowed.

Max kernel policy version indicates the current version of the SELinux policy that is in us. In this example, it is version 28.

The following is the output of sestatus on CentOS and RedHat 6.

If you want to disable SELinux on your system, you can use one of these methods: 4 Effective Methods to Disable SELinux Temporarily or Permanently

2. Display Selected Objects Security Context in sestatus

Using option -v, along with the regular selinux status, you can also display the SELinux context for selected files and processes.

The following is the default output of sestatus -v option:

In the above output:

  • Process contexts section displays the SELinux context of few selected processes. You can add your own process to this list by adding them to the /etc/sestatus.conf file. As you see here, it displays the security context of sshd process.
  • File contexts section displays the SELinux context of few selected files. You can add your own custom files to this list by adding them to the /etc/sestatus.conf file. As you see in the above output, it displays the security context of password, shadow and few other files.
  • Also, if the file that you’ve specified is a symbolic link, then the context of the target file will also be displayed.
    This section will always display the security context of current process, init process and controlling terminals file context.

The following is the default setup of the /etc/sestatus.conf file. Add your custom files to the [files] section, and add your cusom process to the [process] section.

3. Display Boolean Values in sestatus

Using -b option, you can display the current state of booleans as shown below.

As shown below, apart from the typical sestatus output, in the “Policy booleans:” section, this will display the current SELinux boolean values for all the parameters.

The above output typically shows what you would see in the output of the getsebool command. i.e The above one “sestatus -b” command is equivalent running the following two commands:

[ad_2]

Facebook Comments

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button