Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to check the current status of SELinux under linux". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. Output description of sestatus command

The sestatus command displays the SELinux enabled status. Additional information about SELinux is also displayed, which is explained here. The following are the sestatus commands on CentOS 8 systems:

[root@localhost ~] # sestatus SELinux status: enabled SELinuxfs mount: / sys/fs/selinux SELinux root directory: / etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33

SELinux status:

Indicates whether the SELinux module is enabled on the system.

SELinuxfs mount:

This is the mount point of the SELinux temporary file system. This is used internally by SELinux. You can view the directory using the ls command.

SELinux root directory:

This is where all the SELinux configuration files are located. This directory contains all the configuration files needed for SELinux, which we can modify.

Loaded policy name:

This indicates the type of SELinux policy currently loaded. The policy type loaded by default is targeted. The following SELinux policies are available:

Targeted-indicates that SELinux protects only the target process.

Minimum-this is a slight change to the targeted policy. In this case, only a small number of selected processes are protected.

Mls-this is used for multi-level security protection. MLS is very complex and is rarely used in most cases.

Current mode:

Indicates whether SELinux is currently enforcing a policy. There are three modes:

Enforcing-indicates that the SELinux security policy has been enforced.

Permissive-indicates that the SELinux logs the warning message instead of performing the action.

Disabled-indicates that the SELinux policy is not loaded.

For our practical purposes, enforcing equals enabling SELinux. Permissive and Disabled are equal to disabling SELinux.

Policy MLS status:

Indicates the current status of the MLS policy. It is enabled by default.

Policy deny_unknown status:

Indicates the current status of the deny_unknown flag in our policy. By default, it is set to allow.

Max kernel policy version:

Indicates the current version of the SELinux policy that we include. In this example, it is version 33.

two。 Displays the security context of the selected object in sestatus

Use the option-v to display the SELinux context of the files and processes listed in the / etc/sestatus.conf file. The following is the default output of the sestatus-v option:

In the output above:

Process contexts:

Section shows the SELinux context of some selected processes. You can add your own processes to the / etc/sestatus.conf file.

File contexts:

The section shows the SELinux context of some selected files. You can do this by adding your own customization file to the / etc/sestatus.conf file. In addition, if the specified file is a symbolic link, the context of the target file is also displayed.

The following are the default settings for the / etc/sestatus.conf file. Add the customization file to the [files] section and the custom process to the [process] section.

3. Display Boolean values in sestatus

Using the-b option, you can display the current state of the Boolean value, as shown below in the "Policy booleans:" section showing the current SELinux Boolean value of all parameters.

[root@localhost ~] # sestatus-b | less

In the above output, getsebool can also display the Boolean values of all SELinux.

[root@localhost ~] # getsebool-a | less

This is the end of the content of "how to check the current status of SELinux under linux". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.