sestatus stands for SELinux status.

This command is used to view the current status of the SELinux that is running on your system.

1.      sestatus Command Output :

 

         sestatus command will display whether SELinux is enabled or disable. and  This will also display additional information some of the                 SELinux settings Here is the sestatus command on CentOS 7 system.

 

sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   enforcing

Mode from config file:          enforcing

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Max kernel policy version:      28

SELinux status: This indicates whether SELinux module itself is enabled or disabled on your system. Even though this may say enabled, but SELinux might still be not technically enabled (enforced), which is really indicated by the “current mode” line explained here.

# ls -l /sys/fs/selinux
total 0
-rw-rw-rw-.  1 root root    0 Jun  4 22:16 access
dr-xr-xr-x.  2 root root    0 Jun  4 22:16 avc
dr-xr-xr-x.  2 root root    0 Jun  4 22:16 booleans
-rw-r--r--.  1 root root    0 Jun  4 22:16 checkreqprot
..
..
-r--r--r--.  1 root root    0 Jun  4 22:16 policy
-rw-rw-rw-.  1 root root    0 Jun  4 22:16 relabel
-r--r--r--.  1 root root    0 Jun  4 22:16 status
-rw-rw-rw-.  1 root root    0 Jun  4 22:16 user

 

SELinuxfs mount: This is the SELinux temporary filesystem mount point. This is internally used by SELinux. For our practical purpose, we can’t manipulate anything in this directory, as this is internally managed by SELinux.

SELinux root directory: This is where all the SELinux configuration files are located. This directory contains all the configuration files necessary for SELinux operation. You can able modify these files.

 

Loaded policy name: This will indicate what type of SELinux policy is currently loaded.

 The available  possible SELinux policy’s are:

targeted – This means that only targeted processes are protected by SELinux

minimum – This is a slight modification of targeted policy. Only few selected processes are protected in this case.

mls – This is for Multi Level Security protection. MLS is pretty complex and pretty much not used in most situations.

 

Current mode: This indicates whether SELinux is currently enforcing the policies or not.

The Possible  SELinux modes are:

 

# sestatus
SELinux status:                 enabled
SELinuxfs mount:               /selinux
Current mode:                     enforcing
Mode from config file:          enforcing
Policy version:                      24
Policy from config file:          targeted

2. Display Selected Objects Security Context in sestatus

Using option -v, along with the regular selinux status, we can also display the SELinux context for selected files and processes.

Here  is the default output of sestatus -v option:

# sestatus -v
SELinux status:                  enabled
SELinuxfs mount:               /sys/fs/selinux
SELinux root directory:        /etc/selinux
Loaded policy name:            targeted
Current mode:                       enforcing
Mode from config file:            enforcing
Policy MLS status:                 enabled
Policy deny_unknown status:  allowed
Max kernel policy version:       28
 
Process contexts:
Current context:                  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                         system_u:system_r:init_t:s0
/usr/sbin/sshd                      system_u:system_r:sshd_t:s0-s0:c0.c1023
 File contexts:
Controlling terminal:            unconfined_u:object_r:user_devpts_t:s0
/etc/passwd                         system_u:object_r:passwd_file_t:s0
/etc/shadow                         system_u:object_r:shadow_t:s0
/bin/bash                             system_u:object_r:shell_exec_t:s0
/bin/login                             system_u:object_r:login_exec_t:s0
/bin/sh                                 system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty                         system_u:object_r:getty_exec_t:s0
/sbin/init                              system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                     system_u:object_r:sshd_exec_t:s0

In the above output:

    

The default setup of the /etc/sestatus.conf file.

# cat /etc/sestatus.conf 
[files]
/etc/passwd
/etc/shadow
/bin/bash
/bin/login
/bin/sh
/sbin/agetty
/sbin/init
/sbin/mingetty
/usr/sbin/sshd
/lib/libc.so.6
/lib/ld-linux.so.2
/lib/ld.so.1
 
[process]
/sbin/mingetty
/sbin/agetty
/usr/sbin/sshd

3. Display Boolean Values in sestatus

Using -b option, display the current state of booleans as.

# sestatus -b | more
SELinux status:                 enabled
SELinuxfs mount:               /sys/fs/selinux
SELinux root directory:        /etc/selinux
Loaded policy name:            targeted
Current mode:                       enforcing
Mode from config file:            enforcing
Policy MLS status:                 enabled
Policy deny_unknown status:  allowed
Max kernel policy version:        28
 
Policy booleans:
abrt_anon_write                           off
abrt_handle_event                        off
abrt_upload_watch_anon_write    on
antivirus_can_scan_system           off
antivirus_use_jit                              off
auditadm_exec_content                  on
authlogin_nsswitch_use_ldap          off
authlogin_radius                               off
authlogin_yubikey                             off
awstats_purge_apache_log_files      off
boinc_execmem                                on
cdrecord_read_content                      off
...
...
...
xend_run_blktap                             on
xend_run_qemu                              on
xguest_connect_network                on
xguest_exec_content                      on
xguest_mount_media                      on
xguest_use_bluetooth                     on
xserver_clients_write_xshm            off
xserver_execmem                           off
xserver_object_manager                  off
zabbix_can_network                         off
zarafa_setrlimit                                  off
zebra_write_config                             off
zoneminder_anon_write                     off
zoneminder_run_sudo                        off

 The above one “sestatus -b” command is equivalent running the following two commands:

 

sestatus
getsebool -a

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)