3 SELinux sestatus Command Output Explained with Examples

sestatus stands for SELinux status.

This command is used to view the current status of the SELinux that is running on your system.

This tutorial explains the following:

1. sestatus Command Output Explained with Details
2. Display Selected Objects Security Context in sestatus
3. Display Boolean Values in sestatus

1. sestatus Command Output Explained

sestatus command will display whether SELinux is enabled or disable. This will also display additional information about some of the SELinux settings which are explained here.

The following is the sestatus command on CentOS 7 system. On the older version of CentOS / RedHat this output will be slightly different.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Note: In the above output, “current mode” is the most important line that you should pay attention to, which is explained below.

SELinux status: This indicates whether SELinux module itself is enabled or disabled on your system. Keep in mind that even though this may say enabled, but SELinux might still be not technically enabled (enforced), which is really indicated by the “current mode” line explained below.

SELinuxfs mount: This is the SELinux temporary filesystem mount point. This is internally used by SELinux. This is what you’ll if you try do an ls on this SELinux filesystem. For our practical purpose, we can’t manipulate anything in this directory, as this is internally managed by SELinux.

# ls -l /sys/fs/selinux
total 0
-rw-rw-rw-.  1 root root    0 Jun  4 22:16 access
dr-xr-xr-x.  2 root root    0 Jun  4 22:16 avc
dr-xr-xr-x.  2 root root    0 Jun  4 22:16 booleans
-rw-r--r--.  1 root root    0 Jun  4 22:16 checkreqprot
..
..
-r--r--r--.  1 root root    0 Jun  4 22:16 policy
-rw-rw-rw-.  1 root root    0 Jun  4 22:16 relabel
-r--r--r--.  1 root root    0 Jun  4 22:16 status
-rw-rw-rw-.  1 root root    0 Jun  4 22:16 user

SELinux root directory: This is where all the SELinux configuration files are located. By default, you’ll see the following files and directories. This directory contains all the configuration files necessary for SELinux operation. You can modify these files.

# ls -l /etc/selinux
total 8
-rw-r--r--. 1 root root  546 May  1 19:08 config
drwx------. 2 root root    6 May  1 19:09 final
-rw-r--r--. 1 root root 2321 Jan 17 18:33 semanage.conf
drwxr-xr-x. 7 root root  215 May  1 19:09 targeted
drwxr-xr-x. 2 root root    6 Jan 17 18:33 tmp

Loaded policy name: This will indicate what type of SELinux policy is currently loaded. In pretty much all common situations, you’ll see “targeted” as the SELinux policy, as that is the default policy. The following are the possible SELinux policy available:

• targeted – This means that only targeted processes are protected by SELinux
• minimum – This is a slight modification of targeted policy. Only few selected processes are protected in this case.
• mls – This is for Multi Level Security protection. MLS is pretty complex and pretty much not used in most situations.

Current mode: This indicates whether SELinux is currently enforcing the policies or not. In other words, technically this will tell you whether SELinux is currently enabled and running on your system or not.

The following are the possible SELinux modes:

• enforcing – This indicates that SELinux security policy is enforced (i.e SELinux is enabled)
• permissive – This indicates that SELinux prints warnings instead of enforcing. This is helpful during debugging purpose when you want to know what would SELinux potentially block (without really blocking it) by looking at the SELinux logs.
• disabled – No SELinux policy is loaded.

For our practical purpose, enforcing is equal to enabled. permissive and disabled is equal to disabled.

Policy MLS status indicates the current status of MLS policy. By default this will be enabled.

Policy deny_unknown status indicates the current status of the deny_unknown flag in our policy. By default this will be set to allowed.

Max kernel policy version indicates the current version of the SELinux policy that is in us. In this example, it is version 28.

The following is the output of sestatus on CentOS and RedHat 6.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

If you want to disable SELinux on your system, you can use one of these methods: 4 Effective Methods to Disable SELinux Temporarily or Permanently

2. Display Selected Objects Security Context in sestatus

Using option -v, along with the regular selinux status, you can also display the SELinux context for selected files and processes.

The following is the default output of sestatus -v option:

# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-s0:c0.c1023

File contexts:
Controlling terminal:           unconfined_u:object_r:user_devpts_t:s0
/etc/passwd                     system_u:object_r:passwd_file_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0

In the above output:

• Process contexts section displays the SELinux context of few selected processes. You can add your own process to this list by adding them to the /etc/sestatus.conf file. As you see here, it displays the security context of sshd process.
• File contexts section displays the SELinux context of few selected files. You can add your own custom files to this list by adding them to the /etc/sestatus.conf file. As you see in the above output, it displays the security context of password, shadow and few other files.
• Also, if the file that you’ve specified is a symbolic link, then the context of the target file will also be displayed.
  This section will always display the security context of current process, init process and controlling terminals file context.

The following is the default setup of the /etc/sestatus.conf file. Add your custom files to the [files] section, and add your cusom process to the [process] section.

# cat /etc/sestatus.conf 
[files]
/etc/passwd
/etc/shadow
/bin/bash
/bin/login
/bin/sh
/sbin/agetty
/sbin/init
/sbin/mingetty
/usr/sbin/sshd
/lib/libc.so.6
/lib/ld-linux.so.2
/lib/ld.so.1

[process]
/sbin/mingetty
/sbin/agetty
/usr/sbin/sshd

3. Display Boolean Values in sestatus

Using -b option, you can display the current state of booleans as shown below.

As shown below, apart from the typical sestatus output, in the “Policy booleans:” section, this will display the current SELinux boolean values for all the parameters.

# sestatus -b | more
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Policy booleans:
abrt_anon_write                             off
abrt_handle_event                           off
abrt_upload_watch_anon_write                on
antivirus_can_scan_system                   off
antivirus_use_jit                           off
auditadm_exec_content                       on
authlogin_nsswitch_use_ldap                 off
authlogin_radius                            off
authlogin_yubikey                           off
awstats_purge_apache_log_files              off
boinc_execmem                               on
cdrecord_read_content                       off
...
...
...
xend_run_blktap                             on
xend_run_qemu                               on
xguest_connect_network                      on
xguest_exec_content                         on
xguest_mount_media                          on
xguest_use_bluetooth                        on
xserver_clients_write_xshm                  off
xserver_execmem                             off
xserver_object_manager                      off
zabbix_can_network                          off
zarafa_setrlimit                            off
zebra_write_config                          off
zoneminder_anon_write                       off
zoneminder_run_sudo                         off

The above output typically shows what you would see in the output of the getsebool command. i.e The above one “sestatus -b” command is equivalent running the following two commands:

sestatus

getsebool -a