Language and Page Formatting Options
50.2. Administrator Control of SELinux
In addition to the tasks often performed by users in Section 50.1, “End User Control of SELinux”, SELinux administrators could be expected to perform a number of additional tasks. These tasks typically require root access to the system. Such tasks are significantly easier under the targeted policy. For example, there is no need to consider adding, editing, or deleting Linux users from the SELinux users, nor do you need to consider roles.
This section covers the types of tasks required of an administrator who maintains Red Hat Enterprise Linux running SELinux.
50.2.1. Viewing the Status of SELinux
sestatuscommand provides a configurable view into the status of SELinux. The simplest form of this command shows the following information:
sestatusSELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted
-voption includes information about the security contexts of a series of files that are specified in
sestatus -vSELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted Process contexts: Current context: user_u:system_r:unconfined_t Init context: system_u:system_r:init_t /sbin/mingetty system_u:system_r:getty_t /usr/sbin/sshd system_u:system_r:unconfined_t:s0-s0:c0.c1023 File contexts: Controlling term: user_u:object_r:devpts_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
-bdisplays the current state of booleans. You can use this in combination with grep or other tools to determine the status of particular booleans:
sestatus -b | grep httpd | grep on$httpd_builtin_scripting on httpd_disable_trans on httpd_enable_cgi on httpd_enable_homedirs on httpd_unified on