Logo free mcse ccna rhce linux java learning free mcse ccna rhce linux java learning
          Sharefacebook twitter google+ google bookmark yahoo bookmark delicious digg linkedin pinterest reddit stumbleupon evernote diigo blinklist blogmarks livejournal email feed


Important Security-enhanced Linux (SELinux) commands

External Resources


To see the current status of SELinux, run the “getenforce” command.

[root@RHEL04 ~]# getenforce


For more detailed SELinux related information use “sestatus” and “sestatus -v” command.

[root@RHEL04 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted


The current SELinux status can also be changed with the “setenforce” command as shown below.

[root@RHEL03 ~] setenforce enforcing
[root@RHEL03 ~] setenforce permissive


Applies SELinux label to files and directories. If you want to change the settings of a file or directory, you can use the "chcon" command. For example, if you wanted to configure a non-standard directory for an FTP server, you'll want to make sure the context matches the default FTP directory.

The permissions of a standard FTP directory can be viewed by using “ls –Z” command.

[root@RHEL03 ~] ls -Z /var/ftp/
drwxr-xr-x root root system_u:object_r:public_content_t pub

To change the context, use the chcon command. To make the changes recursively use with the -R switch. Change the user and type contexts to match /var/ftp folder using the chcon command.

[root@RHEL03 ~] chcon -R -u user_u -t public_content_rw_t /ftp


Sets the security context of one or more files by marking the extended attributes with the appropriate file or security context.

[root@RHEL03 ~]# restorecon -F -R /ftp


Checks or corrects the security context database on the file system.

[root@RHEL04 /]# fixfiles -l /root/fixchek.txt relabel


get SELinux boolean value(s)

[root@RHEL01 ~]# getsebool –a


setsebool is used to toggle policy booleans on or off.

[root@RHEL01 ~]# setsebool httpd_can_network_connect=on

Note: If you want the Boolean values to be persistant, use the -P option along with setsebool command. The –P option will make pending values be written to the policy file on disk.

              Jajish Thomason Google+
Related Topics
Basic Linux Commands Linux file permissions What is Security-enhanced Linux (SELinux), Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-based Access Control (RBAC)? Security-enhanced Linux (SELinux) Security Contexts How Security-enhanced Linux (SELinux) works Security-enhanced Linux (SELinux) configuration-file (/etc/selinux/conf) Security-enhanced Linux (SELinux) - Filesystem Relabeling
comments powered by Disqus

eXTReMe Tracker