Important Security-enhanced Linux (SELinux) commands
getenforce
To see the current status of SELinux, run the “getenforce” command.
[root@RHEL04 ~]# getenforce
Enforcing
sestatus
For more detailed SELinux related information use “sestatus” and “sestatus -v” command.
[root@RHEL04 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
setenforce
The current SELinux status can also be changed with the “setenforce” command as shown below.
[root@RHEL03 ~] setenforce enforcing
[root@RHEL03 ~] setenforce permissive
chcon
Applies SELinux label to files and directories. If you want to change the settings of a file or directory, you can use the "chcon" command. For example, if you wanted to configure a non-standard directory for an FTP server, you'll want to make sure the context matches the default FTP directory.
The permissions of a standard FTP directory can be viewed by using “ls –Z” command.
[root@RHEL03 ~] ls -Z /var/ftp/
drwxr-xr-x root root system_u:object_r:public_content_t pub
To change the context, use the chcon command. To make the changes recursively use with the -R switch. Change the user and type contexts to match /var/ftp folder using the chcon command.
[root@RHEL03 ~] chcon -R -u user_u -t public_content_rw_t /ftp
restorecon
Sets the security context of one or more files by marking the extended attributes with the appropriate file or security context.
[root@RHEL03 ~]# restorecon -F -R /ftp
fixfiles
Checks or corrects the security context database on the file system.
[root@RHEL04 /]# fixfiles -l /root/fixchek.txt relabel
getsebool
get SELinux boolean value(s)
[root@RHEL01 ~]# getsebool –a
setsebool
setsebool is used to toggle policy booleans on or off.
[root@RHEL01 ~]# setsebool httpd_can_network_connect=on
Note: If you want the Boolean values to be persistant, use the -P option along with setsebool command. The –P option will make pending values be written to the policy file on disk.
