Search

Important Security-enhanced Linux (SELinux) commands

getenforce

To see the current status of SELinux, run the “getenforce” command.

[[email protected] ~]# getenforce
Enforcing

sestatus

For more detailed SELinux related information use “sestatus” and “sestatus -v” command.

[[email protected] ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

setenforce

The current SELinux status can also be changed with the “setenforce” command as shown below.

[[email protected] ~] setenforce enforcing
[[email protected] ~] setenforce permissive

chcon

Applies SELinux label to files and directories. If you want to change the settings of a file or directory, you can use the "chcon" command. For example, if you wanted to configure a non-standard directory for an FTP server, you'll want to make sure the context matches the default FTP directory.

The permissions of a standard FTP directory can be viewed by using “ls –Z” command.

[[email protected] ~] ls -Z /var/ftp/
drwxr-xr-x root root system_u:object_r:public_content_t pub

To change the context, use the chcon command. To make the changes recursively use with the -R switch. Change the user and type contexts to match /var/ftp folder using the chcon command.

[[email protected] ~] chcon -R -u user_u -t public_content_rw_t /ftp

restorecon

Sets the security context of one or more files by marking the extended attributes with the appropriate file or security context.

[[email protected] ~]# restorecon -F -R /ftp

fixfiles

Checks or corrects the security context database on the file system.

[[email protected] /]# fixfiles -l /root/fixchek.txt relabel

getsebool

get SELinux boolean value(s)

[[email protected] ~]# getsebool –a

setsebool

setsebool is used to toggle policy booleans on or off.

[[email protected] ~]# setsebool httpd_can_network_connect=on

Note: If you want the Boolean values to be persistant, use the -P option along with setsebool command. The –P option will make pending values be written to the policy file on disk.

Related Tutorials
• Basic Linux Commands
• Linux file permissions
• What is Security-enhanced Linux (SELinux), Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-based Access Control (RBAC)?
• Security-enhanced Linux (SELinux) Security Contexts
• How Security-enhanced Linux (SELinux) works
• Security-enhanced Linux (SELinux) configuration-file (/etc/selinux/conf)
• Security-enhanced Linux (SELinux) - Filesystem Relabeling