Skip to content

Linux - SELinux

Commands

Globals

Display SELinux status:

sestatus

To see the current status of SELinux, run the following command:

getenforce
# Ex: Enforcing

The current SELinux status can also be changed with the following command:

setenforce <status>
# Ex: setenforce enforcing
#     setenforce permissive

Configuration file:

/etc/selinux/config

At any point in time, you can generate a report from your SELinux audit logs. This report will contain all information regarding any potential event that has been blocked by SELinux and also how you can allow the blocked event(s) if needed:

sealert –a /var/log/audit/audit.log

Permission

The permissions of a standard file/directory can be viewed by using the following command:

ls -Z <path>

To change the context, use the chcon command. To make the changes recursively use with the -R switch:

chcon (-R) -u <user> -t <context> <path>
# Ex: chcon -R -u user_u -t public_content_rw_t /ftp

Get SELinux boolean value(s):

getsebool –a

setsebool is used to toggle policy booleans on or off:

setsebool <value>=on|off
# Ex: setsebool httpd_can_network_connect=on

Note

If you want the Boolean values to be persistant, use the -P option along with setsebool command. The –P option will make pending values be written to the policy file on disk.

Policy

The policy modules of SELinux can be viewed by running the following command:

semodule –l
  • https://searchdatacenter.techtarget.com/tip/SELinux-tutorial-Commands-and-management
Back to top