Question : How to Check whether SELinux is Enabled or Disabled
SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :
1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Permissive mode loads the SELinux software, but doesn’t enforce the rules, only logging is performed.
3. Disabled : The SELinux is disabled entirely.
Check the SELinux status
use this command to check current status:
# getenforce Permissive
The output will be either of the 3 options described above. For more verbose (in the case of permissive), use:
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
To programmatically check the status as a true/false, one way could be:
# selinuxenabled if [ $? -ne 0 ] then echo "DISABLED" else echo "ENABLED" fi
This will return ENABLED or DISABLED.