Linux Commands

Basic SELinux Commands

There are certain commands worth mentioning that can help you interact easily with SELinux. In this article, we will cover some of the most fundamental SELinux commands.

Note: All the commands stated below have been executed in CentOS 8. However, if you want to use any other distribution of Linux, then you can also do it very conveniently.

Basic SELinux Commands

There are some basic commands that are very frequently used with SELinux. In the following sections, we will first state each command, then we will provide examples to show you how to use each command.

Checking SELinux Status

After launching the terminal in CentOS 8, suppose we would like to examine the status of SELinux, i.e., we would like to determine whether SELinux is enabled in CentOS 8. We can view the status of SELinux in CentOS 8 by executing the following command in the terminal:

$ sestatus

Running this command will tell us whether SELinux is enabled in CentOS 8. SELinux is enabled in our system, and you can see this status highlighted in the image below:

Changing SELinux Status

SELinux is always enabled by default in Linux-based systems. However, if you feel like turning SELinux off or disabling it, then you can do this by tweaking the SELinux configuration file in the following manner:

$ sudo nano /etc/selinux/config

When this command is executed, the SELinux configuration file will open with the nano editor, as shown in the image below:

Now, you need to find out the SELinux variable in this file and change its value from “Enforcing” to “Disabled,” After that, press Ctrl+ X to save your SELinux configuration file and get back to the terminal.

When you check the status of SELinux again by running the “sestatus” command above, the status in the configuration file will change to “Disabled,” whereas the current status will still be “Enabled,” as highlighted in the following image:

Therefore, to put your changes into full effect, you will need to reboot your CentOS 8 system by running the following command:

$ sudo shutdown –r now

After rebooting your system, when you check the status of SELinux again, SELinux will be disabled.

Checking SELinux Mode of Operation

SELinux is enabled by default and works in the “Enforcing” mode, which is its default mode. You can determine this by running the “sestatus” command or by opening the SELinux configuration file. This can also be verified by running the command below:

$ getenforce

After executing the above command, you will see that SELinux is operating in the “Enforcing” mode:

Changing SELinux Mode of Operation

You can always change the default mode of operation of SELinux from “Enforcing” to “Permissive.” To do this, you need to use the “setenforce” command in the following manner:

$ sudo setenforce 0

When used with the “setenforce” command, the “0” flag changes the mode of SELinux from “Enforcing” to “Permissive.” You can verify whether the default mode has been changed by running the “getenforce” command again, and you will see that the SELinux mode has been set to “Permissive,” as highlighted in the image below:

Viewing SELinux Policy Modules

You can also view SELinux policy modules that are currently running on your CentOS 8 system. The policy modules of SELinux can be viewed by running the following command in the terminal:

$ sudo semodule –l

Executing this command will display all currently running SELinux policy modules in your terminal, as shown in the image below. To access the entire list, you can scroll up or down.

Generating SELinux Audit Log Report

At any point in time, you can generate a report from your SELinux audit logs. This report will contain all information regarding any potential event that has been blocked by SELinux and also how you can allow the blocked event(s) if needed. This report can be generated by running the following command in the terminal:

$ sudo sealert –a /var/log/audit/audit.log

In our case, since there was no suspicious activity taking place, that is why our report was very precise and did not generate any alerts, as shown in the image below:

Viewing and Changing SELinux Boolean

There are certain variables of SELinux whose value can either be “on” or “off.” Such variables are known as SELinux Boolean. To view all the SELinux Boolean variables, use the “getsebool” command in the following manner:

$ sudo getsebool –a

Executing this command will display a long list of all the variables of SELinux whose value can either be “on” or “off,” as shown in the image below:

The best thing about SELinux Boolean is that even after changing the values of these variables, you do not need to restart your SELinux mechanism; rather, these changes take effect immediately and automatically.

Now, we would like to show you the method of changing the value of any SELinux Boolean variable. We have already selected a variable, as highlighted in the image shown above, whose value is currently “off.” We can toggle this value to “on” by running the following command in our terminal:

$ sudo setsebool –P xen_use_nfs ON

Here, you may replace xen_use_nfs with any SELinux Boolean of your choice whose value you wish to change.

After running the above command, when you run the “getsebool” command again to view all the SELinux Boolean variables, you will be able to see that the value of xen_use_nfs has been set to “on,” as highlighted in the image below:

Conclusion

In this article, we discussed all the basic SELinux commands in CentOS 8. These commands are used quite often while interacting with this security mechanism of SELinux. Therefore, these commands are considered extremely helpful.

About the author

Aqsa Yasin

I am a self-motivated information technology professional with a passion for writing. I am a technical writer and love to write for all Linux flavors and Windows.