This post shows you how to confirm current SElinux status before you decide to disable SELinux.
SElinux Enforcing vs Permissive
The most burning question usually is: does my RedHat/CentOS Linux enforce SELinux (and prevent some of my applications from running out of the box) or is it in the permissive state (which means it logs security concerns but doesn’t block anything from running).
Answering this is very easy with the help of the getenforce command:
[greys@rhel8 ~]$ getenforce
Enforcing
SElinux status with sestatus
If you’re more curious about the way SELinux is configured, then sestatus command will be much more useful:
[greys@rhel8 ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux.png
SELinux root directory: /etc/selinux.png
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
How to read the sestatus output
Although the output of sestatus is fairly standard, you’ll appreciate how useful it is once you start making changes to your SELinux policies.
Loaded policy name is useful because you can make SELinux load a strict policy as well, and it’s important to understand which one is currently in use.
Current mode: will confirm if SELinux is running in enforcing or permissive mode.
Policy MLS status: must research more! I know MLS is Multi Level Security, but need to understand why it’s separate option here.
Memory protection checking – must come back to this as I’m not finding enough information. This is a flag confirming that SElinux still protects certain memory access syscalls in your Linux.
I'm a principal consultant with Tech Stack Solutions. I help with cloud architectrure, AWS deployments and automated management of Unix/Linux infrastructure. Get in touch!
SELinux
