Friday, May 22, 2015

Is SELinux running?

There is a simple question that you need to know when you get a new Linux server to manage, is SELinux running? If so, what are its setting? Below are some ways to answer these questions.

See if the SELinux configuration file exists and if it does what the settings for SELinux are.
root@earth> cat /etc/sysconfig/selinux
#    This file controls the state of SELinux on the system.
#    SELINUX= can take one of these three values:
#                enforcing - SELinux security policy is enforced.
#                permissive - SELinux prints warnings instead of enforcing.
#                disabled - No SELinux policy is loaded.
#    SELINUXTYPE= can take one of these two values:
#               targeted - Only targeted network daemons are protected.
#               strict - Full SELinux protection.
#               mls - Multi Level Security protection.
#    SETLOCALDEFS= Check local definition changes

The getenforce command displays the current SELinux enforcement policy being used.
root@earth> /usr/sbin/getenforce

The sestatus command is a tool that is used to get the status of  a system running SELinux.
root@earth> /usr/sbin/sestatus
SELinux status:              enabled
SELinuxfs mount:           /selinux
Current mode:                permissive
Mode from config file:     permissive
Policy version:               21
Policy from config file:    targeted

Security Enhanced Linux (SELinux) project page
Wikipedia - SELinux