Use the sestatus command to view the current status of SELinux

Time:2021-8-12

The sestatus command is used to view the current status of SELinux running on the system. This article describes the detailed description of sestatus command output. The security context of the selected object and all Boolean values are displayed in sestatus

  1. Sestatus command output description
    The sestatus command displays SELinux enabled status. Additional information about SELinux is also displayed, described here. The following is the sestatus command on CentOS 8 systems:

[[email protected] ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Use the sestatus command to view the current status of SELinux. Use the sestatus command to view the current status of SELinux

SELinux status: indicates whether the SELinux module is enabled on the system.

Selinuxfs mount: This is the mount point for the SELinux temporary file system. This is used internally by SELinux. You can view this directory using the LS command.

Use the sestatus command to view the current status of SELinux. Use the sestatus command to view the current status of SELinux

SELinux root directory: This is the location of all SELinux configuration files. This directory contains all the configuration files required by SELinux, which we can modify.

Use the sestatus command to view the current status of SELinux. Use the sestatus command to view the current status of SELinux

Loaded policy name: This indicates the type of SELinux policy currently loaded. By default, the loaded policy type is targeted. The following are the available SELinux policies:

Targeted – indicates that SELinux protects only the target process.
Minimum – this is a slight modification to the targeted policy. In this case, only a few selected processes are protected.
MLS – this is used for multi-level security protection. MLS is very complex and rarely used in most cases.
Current mode: indicates whether SELinux is currently executing policies. There are three modes:

Enforcing – indicates that the SELinux security policy has been enforced.
Allow – indicates that SELinux logs warning information instead of performing an operation.
Disabled – indicates that the SELinux policy is not loaded.
For our practical purposes, empowering is equal to enabling SELinux. Permissive and disabled are equal to disabling SELinux.

Policy MLS status: indicates the current status of the MLS policy. Enabled by default.

Policy deny_ Unknown status: indicates deny in our policy_ The current state of the unknown flag. By default, it is set to allow.

Max kernel policy version: indicates the current version of SELinux policy included in our. In this example, it is version 33.

2. Display the security context of the selected object in sestatus
Use the – V option to display the SELinux context of the files and processes listed in the / etc / sestatus.conf file. The following is the default output of the sestatus – V option:

Use the sestatus command to view the current status of SELinux. Use the sestatus command to view the current status of SELinux
In the above output, the: process contexts: section displays SELinux contexts for some of the selected processes. You can add your own processes to the / etc / sestatus.conf file.

The file contexts: section shows SELinux contexts for some selected files. You can add your own customization file to the / etc / sestatus.conf file. In addition, if the specified file is a symbolic link, the context of the target file is also displayed.

The following are the default settings for the / etc / sestatus.conf file. Add custom files to the [files] section and custom processes to the [process] section.

3. Display Boolean values in sestatus
Using the – B option, you can display the current status of Boolean values, as shown below. The current SELinux Boolean values of all parameters are displayed in the “policy Boolean:” section.

[[email protected] ~]# sestatus -b |less
Use the sestatus command to view the current status of SELinux. Use the sestatus command to view the current status of SELinux
In the above output, getsebool can also display all SELinux Boolean values.

[[email protected] ~]# getsebool -a |less
Use the sestatus command to view the current status of SELinux. Use the sestatus command to view the current status of SELinux

summary
The sestatus command is used to view the current status of SELinux running on the system.