sestatus

The sestatus command in Linux is used to display the current status of SELinux (Security-Enhanced Linux) on a system. This command provides essential information about whether SELinux is enabled or disabled, its current mode (enforcing, permissive, or disabled), and details about the loaded SELinux policy. Here’s a detailed explanation of sestatus, its usage, and significance:

Purpose of sestatus

The main purpose of sestatus is to:

  • Display the current operational status of SELinux.

  • Provide detailed information about SELinux settings and policies.

Key Features and Functionality

  1. Status Display: sestatus shows whether SELinux is active on the system and its current mode.

  2. Policy Information: It provides details about the loaded SELinux policy, including the policy type and version.

  3. Context Details: Displays the current contexts for various parts of the system, such as the process context and file context.

Usage

To use sestatus, open a terminal and type:

sestatus

Example Output

When you run sestatus, you might see output similar to the following:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Explanation of Output Fields

  • SELinux status: Indicates whether SELinux is enabled or disabled.

  • SELinuxfs mount: Shows the mount point of the SELinux filesystem.

  • SELinux root directory: Path to the directory containing SELinux configuration files.

  • Loaded policy name: The name of the loaded SELinux policy (e.g., targeted, mls).

  • Current mode: Indicates the current mode of SELinux (enforcing, permissive, or disabled).

  • Mode from config file: The mode specified in the SELinux configuration file.

  • Policy MLS status: Indicates whether Multi-Level Security (MLS) is enabled.

  • Policy deny_unknown status: Shows whether unknown policy types are allowed.

  • Max kernel policy version: The highest policy version supported by the kernel.

Benefits

  • Quick Status Check: Provides a quick way to check if SELinux is enabled and its current operational mode.

  • Policy Insights: Offers insights into the loaded SELinux policy and configuration, aiding in system security audits and troubleshooting.

Security Considerations

  • Regular Monitoring: Regularly check the status of SELinux to ensure it is enabled and operating in the desired mode.

  • Configuration Consistency: Ensure that the mode and policies reported by sestatus align with organizational security requirements and configurations.

Conclusion

The sestatus command is a valuable tool for system administrators to quickly and easily verify the status and configuration of SELinux on a system. By using sestatus, administrators can ensure that SELinux is properly configured and operating as expected, thereby maintaining the security posture of the system.

PrevioussemanageNextsetcap

Last updated