How to check if SELinux is enabled in Linux

Introduction

In this lab, you will learn how to check the status and configuration of SELinux on a Linux system. SELinux is a crucial security mechanism that provides mandatory access control.

You will use the sestatus command to get a summary of the current SELinux state, inspect the SELinux configuration file /etc/selinux/config to understand its default settings, and use the getenforce command to quickly check the current operating mode. By completing these steps, you will gain a fundamental understanding of how to determine if SELinux is enabled and how it is configured on your system.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/BasicSystemCommandsGroup(["Basic System Commands"]) linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux/BasicSystemCommandsGroup -.-> linux/echo("Text Display") linux/BasicFileOperationsGroup -.-> linux/cat("File Concatenating") subgraph Lab Skills linux/echo -.-> lab-558802{{"How to check if SELinux is enabled in Linux"}} linux/cat -.-> lab-558802{{"How to check if SELinux is enabled in Linux"}} end

Check SELinux status with sestatus

In this step, you will learn how to check the status of SELinux on your system. SELinux (Security-Enhanced Linux) is a security mechanism that provides mandatory access control (MAC) for processes and resources. It adds an extra layer of security on top of the traditional discretionary access control (DAC).

To check the current status of SELinux, we use the sestatus command. This command provides a summary of the SELinux configuration and its current state.

Open your terminal if it's not already open. You can do this by clicking the Xfce Terminal icon on the left side of your desktop.

Now, type the following command into the terminal and press Enter:

sestatus

You should see output similar to this:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 ...
Policy load time:               ...

Let's break down the important parts of the output:

SELinux status: Indicates whether SELinux is enabled or disabled on the system.
Current mode: Shows the current operating mode of SELinux. Common modes are enforcing, permissive, and disabled.
Mode from config file: Shows the mode that is set in the SELinux configuration file (/etc/selinux/config).

In this output, SELinux status: enabled means SELinux is active, and Current mode: enforcing means SELinux is actively enforcing its security policies.

Understanding the SELinux status is the first step in managing its behavior.

Click Continue to proceed to the next step.

Verify SELinux config with cat /etc/selinux/config

In the previous step, you checked the current status of SELinux using sestatus. Now, let's look at the configuration file that determines the default behavior of SELinux.

The main configuration file for SELinux is located at /etc/selinux/config. We can view the contents of this file using the cat command. The cat command is used to display the content of files.

Type the following command in your terminal and press Enter:

cat /etc/selinux/config

You should see output similar to this:

## This file controls the state of SELinux on the system.
## SELINUX= can take one of these three values:
##     enforcing - SELinux security policy is enforced.
##     permissive - SELinux prints warnings instead of enforcing.
##     disabled - No SELinux policy is loaded.
SELINUX=enforcing
## SELINUXTYPE= can take one of these three values:
##     targeted - Targeted processes are protected,
##               for more information see selinux-policy-targeted(8)
##     strict - Full SELinux protection, see selinux-policy(8)
##     mls - Multi-Level Security protection.
SELINUXTYPE=targeted

This file is where you would configure the default SELinux mode (SELINUX=) and the policy type (SELINUXTYPE=).

SELINUX=enforcing: This line indicates that the system is configured to start in enforcing mode by default.
SELINUXTYPE=targeted: This line specifies that the targeted policy is used. The targeted policy is the most common and protects specific system processes.

The settings in this file are typically applied when the system boots. While you can change the current mode temporarily (which we'll see in the next step), changes made to /etc/selinux/config require a system reboot to take full effect.

Understanding the configuration file helps you see the intended SELinux state for the system.

Click Continue to move on.

Inspect SELinux mode with getenforce

In the previous steps, you used sestatus to get a detailed overview of SELinux and cat /etc/selinux/config to see the default configuration. Now, let's use a simpler command, getenforce, to quickly check the current SELinux mode.

The getenforce command is specifically designed to output just the current operating mode of SELinux. This is useful for a quick check without needing the full output of sestatus.

Type the following command in your terminal and press Enter:

getenforce

You should see output similar to this:

Enforcing

The output will be one of the following:

Enforcing: SELinux is active and enforcing its policies. Any action that violates a policy will be blocked.
Permissive: SELinux is active but not enforcing policies. It will log warnings about actions that would have been blocked in enforcing mode, but it allows them to proceed. This mode is useful for testing and troubleshooting.
Disabled: SELinux is not active and no policies are loaded.

In this case, the output Enforcing confirms that SELinux is currently running in enforcing mode, which matches what we saw with the sestatus command.

The getenforce command is a handy tool for a quick check of the SELinux status.

Click Continue to complete this lab.

Summary

In this lab, you learned how to check the status of SELinux on a Linux system. You used the sestatus command to get a summary of the SELinux configuration, including whether it is enabled, its current operating mode (enforcing, permissive, or disabled), and the mode set in the configuration file.

You also learned how to verify the SELinux configuration by inspecting the /etc/selinux/config file using the cat command, which shows the default SELinux mode that will be applied upon system boot. Finally, you used the getenforce command to quickly check the current SELinux mode. These steps provide essential methods for understanding the current state and configuration of SELinux.