sestatus stands for SELinux status.
This command is used to view the current status of the SELinux that is running on your system.
This tutorial explains the following:
- sestatus Command Output Explained with Details
- Display Selected Objects Security Context in sestatus
- Display Boolean Values in sestatus
1. sestatus Command Output Explained
sestatus command will display whether SELinux is enabled or disable. This will also display additional information about some of the SELinux settings which are explained here.
The following is the sestatus command on CentOS 7 system. On the older version of CentOS / RedHat this output will be slightly different.
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Note: In the above output, “current mode” is the most important line that you should pay attention to, which is explained below.
SELinux status: This indicates whether SELinux module itself is enabled or disabled on your system. Keep in mind that even though this may say enabled, but SELinux might still be not technically enabled (enforced), which is really indicated by the “current mode” line explained below.
SELinuxfs mount: This is the SELinux temporary filesystem mount point. This is internally used by SELinux. This is what you’ll if you try do an ls on this SELinux filesystem. For our practical purpose, we can’t manipulate anything in this directory, as this is internally managed by SELinux.
# ls -l /sys/fs/selinux total 0 -rw-rw-rw-. 1 root root 0 Jun 4 22:16 access dr-xr-xr-x. 2 root root 0 Jun 4 22:16 avc dr-xr-xr-x. 2 root root 0 Jun 4 22:16 booleans -rw-r--r--. 1 root root 0 Jun 4 22:16 checkreqprot .. .. -r--r--r--. 1 root root 0 Jun 4 22:16 policy -rw-rw-rw-. 1 root root 0 Jun 4 22:16 relabel -r--r--r--. 1 root root 0 Jun 4 22:16 status -rw-rw-rw-. 1 root root 0 Jun 4 22:16 user
SELinux root directory: This is where all the SELinux configuration files are located. By default, you’ll see the following files and directories. This directory contains all the configuration files necessary for SELinux operation. You can modify these files.
# ls -l /etc/selinux total 8 -rw-r--r--. 1 root root 546 May 1 19:08 config drwx------. 2 root root 6 May 1 19:09 final -rw-r--r--. 1 root root 2321 Jan 17 18:33 semanage.conf drwxr-xr-x. 7 root root 215 May 1 19:09 targeted drwxr-xr-x. 2 root root 6 Jan 17 18:33 tmp
Loaded policy name: This will indicate what type of SELinux policy is currently loaded. In pretty much all common situations, you’ll see “targeted” as the SELinux policy, as that is the default policy. The following are the possible SELinux policy available:
- targeted – This means that only targeted processes are protected by SELinux
- minimum – This is a slight modification of targeted policy. Only few selected processes are protected in this case.
- mls – This is for Multi Level Security protection. MLS is pretty complex and pretty much not used in most situations.
Current mode: This indicates whether SELinux is currently enforcing the policies or not. In other words, technically this will tell you whether SELinux is currently enabled and running on your system or not.
The following are the possible SELinux modes:
- enforcing – This indicates that SELinux security policy is enforced (i.e SELinux is enabled)
- permissive – This indicates that SELinux prints warnings instead of enforcing. This is helpful during debugging purpose when you want to know what would SELinux potentially block (without really blocking it) by looking at the SELinux logs.
- disabled – No SELinux policy is loaded.
For our practical purpose, enforcing is equal to enabled. permissive and disabled is equal to disabled.
Policy MLS status indicates the current status of MLS policy. By default this will be enabled.
Policy deny_unknown status indicates the current status of the deny_unknown flag in our policy. By default this will be set to allowed.
Max kernel policy version indicates the current version of the SELinux policy that is in us. In this example, it is version 28.
The following is the output of sestatus on CentOS and RedHat 6.
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
If you want to disable SELinux on your system, you can use one of these methods: 4 Effective Methods to Disable SELinux Temporarily or Permanently
2. Display Selected Objects Security Context in sestatus
Using option -v, along with the regular selinux status, you can also display the SELinux context for selected files and processes.
The following is the default output of sestatus -v option:
# sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 /usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t:s0 /etc/passwd system_u:object_r:passwd_file_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
In the above output:
- Process contexts section displays the SELinux context of few selected processes. You can add your own process to this list by adding them to the /etc/sestatus.conf file. As you see here, it displays the security context of sshd process.
- File contexts section displays the SELinux context of few selected files. You can add your own custom files to this list by adding them to the /etc/sestatus.conf file. As you see in the above output, it displays the security context of password, shadow and few other files.
- Also, if the file that you’ve specified is a symbolic link, then the context of the target file will also be displayed.
This section will always display the security context of current process, init process and controlling terminals file context.
The following is the default setup of the /etc/sestatus.conf file. Add your custom files to the [files] section, and add your cusom process to the [process] section.
# cat /etc/sestatus.conf [files] /etc/passwd /etc/shadow /bin/bash /bin/login /bin/sh /sbin/agetty /sbin/init /sbin/mingetty /usr/sbin/sshd /lib/libc.so.6 /lib/ld-linux.so.2 /lib/ld.so.1 [process] /sbin/mingetty /sbin/agetty /usr/sbin/sshd
3. Display Boolean Values in sestatus
Using -b option, you can display the current state of booleans as shown below.
As shown below, apart from the typical sestatus output, in the “Policy booleans:” section, this will display the current SELinux boolean values for all the parameters.
# sestatus -b | more SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Policy booleans: abrt_anon_write off abrt_handle_event off abrt_upload_watch_anon_write on antivirus_can_scan_system off antivirus_use_jit off auditadm_exec_content on authlogin_nsswitch_use_ldap off authlogin_radius off authlogin_yubikey off awstats_purge_apache_log_files off boinc_execmem on cdrecord_read_content off ... ... ... xend_run_blktap on xend_run_qemu on xguest_connect_network on xguest_exec_content on xguest_mount_media on xguest_use_bluetooth on xserver_clients_write_xshm off xserver_execmem off xserver_object_manager off zabbix_can_network off zarafa_setrlimit off zebra_write_config off zoneminder_anon_write off zoneminder_run_sudo off
The above output typically shows what you would see in the output of the getsebool command. i.e The above one “sestatus -b” command is equivalent running the following two commands:
sestatus getsebool -a