Determine whether SELinux is enabled
Tested on |
| Debian (Lenny, Squeeze) |
Background
SELinux (Security Enhanced Linux) is a mandatory access control framework that can be used to harden Linux-based systems against internal and external attack. It can, for example, be used to specify which parts of the filesystem are accessible to a daemon such as an HTTP server, so that if an attacker gains control of the daemon then the potential for further harm is limited.
For this to work, SELinux must be configured with a security policy that is well-matched to the legitimate needs of the programs running on the system in question. An over-restrictive policy will cause programs to fail, often without any obvious indication that SELinux is the culprit. For this reason, when attempting to troubleshoot an unfamiliar system it is advisable to check whether SELinux is enabled at an early stage in order to avoid wasted effort.
Method
One way to determine whether SELinux is enabled is by means the getenforce command:
getenforce
There are three possible results:
Disabled
indicates that SELinux is installed but inactive. It should have no positive or negative effect on the operation of the system while in this mode.
Permissive
indicates that SELinux is active, but will only monitor violations of the security policy and not intervene to prevent them. You may observe some additional log messages while in this mode, and the bootstrap process will be lengthened if it is necessary to relabel the filesystem, but otherwise it should have little or no impact on the behaviour of the system. This mode would normally be used to facilitate the initial configuration of SELinux, however there is no reason why it could not be left this way if the objective is auditing rather than hardening.
Enforcing
indicates that SELinux is active and configured to prevent violations of the security policy. This is the mode used to harden a system once the initial configuration has been completed. As such, it will cause programs to fail if the security policy is too restrictive.
Alternatives
Using the sestatus command
It is possible to obtain the same information and more using the sestatus command:
sestatus
Using this method, the status of SELinux (whether it is enabled or disabled) is reported separately from its mode (permissive or enforcing):
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Tags: selinux