LinuxCommandLibrary

sestatus

Display SELinux status information

TLDR

Print the current status

$ sestatus
copy

Print the current states of all policy booleans
$ sestatus -b
copy

Print the current file and process contexts
$ sestatus -v
copy

SYNOPSIS

sestatus [-v] [-b]

PARAMETERS

-v
    Verbose output. Displays additional information such as loaded policy version and module information.

-b
    Show the boot-time SELinux policy.

DESCRIPTION

The sestatus command provides a comprehensive overview of the Security-Enhanced Linux (SELinux) status on a Linux system. It displays vital information such as the SELinux mode (enforcing, permissive, or disabled), the current policy being used, and the system's SELinux configuration file. It also shows the boot-time policy, the process context, file context, and details about loaded modules and their statuses. sestatus is an essential tool for system administrators who need to understand and manage SELinux, ensuring that the system's security policies are functioning as intended.
The information presented by sestatus is dynamic, reflecting the current state of SELinux. Using this command enables administrators to verify that SELinux is properly configured, diagnose potential issues, and make informed decisions about SELinux policies. It eliminates the need to parse complex configuration files manually, providing a user-friendly interface for understanding SELinux's operational details. Proper understanding of SELinux is crucial for maintaining system security. Using sestatus in combination with other SELinux tools such as `setenforce` or `audit2allow` provides full management of the SELinux security model.

CAVEATS

The sestatus command relies on SELinux being enabled and properly configured. If SELinux is disabled or not fully functional, the output might be incomplete or misleading. Root privileges are typically required to run sestatus and obtain accurate information.

UNDERSTANDING THE OUTPUT

The output of sestatus includes several key pieces of information:

  • SELinux status: Indicates whether SELinux is enabled or disabled.
  • SELinuxfs mount: Shows the mount point of the SELinux filesystem.
  • SELinux root: Specifies the root directory for SELinux policy files.
  • Loaded policy name: Displays the name of the currently loaded policy.
  • Current mode: Indicates the SELinux mode (enforcing, permissive, or disabled).
  • Mode from config file: Reflects the mode specified in the SELinux configuration file.
  • Policy MLS status: Shows whether Multi-Level Security (MLS) is enabled.
  • Policy deny_unknown status: Indicates whether unknown objects are denied by default.
  • Max kernel policy version: Displays the maximum supported kernel policy version.

HISTORY

SELinux was initially developed by the National Security Agency (NSA) and has been integrated into the Linux kernel since version 2.6. The sestatus command was developed as part of the SELinux userspace tools to provide administrators with a simple way to check the status and configuration of the SELinux system. The sestatus command became increasingly essential as SELinux gained wider adoption in enterprise environments.

SEE ALSO

setenforce(8), getenforce(8), selinuxenabled(1), restorecon(8), chcon(1), audit2allow(1)

Copied to clipboard