YouTip LogoYouTip

Linux Comm Sestatus

[![Image 1: Linux Command Manual](#) Linux Command Manual](#) * * * `sestatus` is a command-line tool in Linux systems used to view the current status of SELinux (Security-Enhanced Linux). SELinux is a mandatory access control (MAC) security mechanism developed by the U.S. National Security Agency (NSA) that provides an additional security layer for Linux systems. * * * ## Command Syntax sestatus ### Common Options | Option | Description | | --- | --- | | `-v` | Display verbose output, including process and file context information | | `-b` | Display current loaded policy boolean values (rule switches) | * * * ## Command Output Analysis After executing the `sestatus` command, typical output is as follows: ## Example SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 ### Key Field Descriptions 1. **SELinux status** * `enabled`: SELinux is enabled * `disabled`: SELinux is disabled 2. **Current mode** * `enforcing`: Enforce security policies * `permissive`: Log violations only without blocking * `disabled`: Completely disabled 3. **Loaded policy name** * `targeted`: Default policy, protects specific services only * `mls`: Multi-level security policy (more strict) * `minimum`: Minimal policy * * * ## Practical Application Examples ### Example 1: Check SELinux Basic Status $ sestatus This is the most basic usage, quickly checking whether SELinux is enabled and its running mode. ### Example 2: View Detailed Context Information $ sestatus -v The output will include process and file context information, for example: ## Example Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 ... File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t:s0 ... ### Example 3: View Current Policy Boolean Values $ sestatus -b The output will display the status of all configurable policy rule switches, for example: ## Example Policy booleans: abrt_anon_write off abrt_handle_event off ... httpd_can_network_connect off ... * * * ## Common Troubleshooting ### Issue 1: SELinux Blocking Normal Operations **Solution**: 1. First confirm if SELinux is causing the problem: grep "avc:" /var/log/audit/audit.log 2. If so, you can temporarily set to permissive mode for testing: sudo setenforce 0 3. The permanent solution is to adjust SELinux policies or modify file contexts ### Issue 2: sestatus Shows SELinux is Disabled **Possible Causes**: * SELinux was disabled at system boot * `SELINUX=disabled` is set in `/etc/selinux/config` file **Solution**: 1. Edit the `/etc/selinux/config` file 2. Change to `SELINUX=enforcing` or `SELINUX=permissive` 3. Reboot the system * * * ## Best Practices 1. **Production Environment Recommendations** * Keep SELinux in `enforcing` mode for maximum security * Do not disable SELinux easily; instead, learn how to configure it properly 2. **Troubleshooting Steps** * First check status with `sestatus` * View `/var/log/audit/audit.log` for detailed denial information * Use `audit2allow` to generate custom policy modules 3. **Policy Adjustments** * Prioritize using `setsebool` to adjust boolean values * Second, consider modifying file contexts (`chcon`) * Only as a last resort consider creating custom policy modules * * * ## Summary The `sestatus` command is the first tool for managing SELinux systems, allowing you to quickly understand the system's security status. Mastering the use of this command can help system administrators better maintain Linux system security and quickly identify the root cause when permission issues arise. * * Linux Command Manual](#)
← Linux Comm Fail2BanLinux Comm Gpg β†’