Home > Package & System Management > sestatus

sestatus: Check SELinux Status

The sestatus command is used to check the current status and policy information of SELinux (Security-Enhanced Linux). It allows you to quickly grasp important security-related information such as whether SELinux is enabled, its current operating mode (enforcing, permissive, disabled), and the path to the loaded policy file and its version.

Overview

sestatus is an essential tool for diagnosing the SELinux configuration and current state of your system. Through this command, you can understand how SELinux contributes to system security and obtain initial information to resolve potential access control issues.

Key Information to Check

When you run the sestatus command, you can check the following key pieces of information:

  • SELinux enabled status (enabled/disabled)
  • Current SELinux mode (enforcing/permissive/disabled)
  • Path to the loaded policy file
  • Policy type and version
  • Policy load time

Key Options

The sestatus command offers a relatively small number of options, but they are useful for viewing detailed information.

Display Information

Generated command:

Try combining the commands.

Description:

`sestatus` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Demonstrates various ways to check SELinux status using the sestatus command.

Check Basic SELinux Status

sestatus

Outputs basic information including the current enabled status and mode of SELinux.

Check Detailed SELinux Information

sestatus -v

Outputs all detailed SELinux information, including policy file path, policy type, and policy load time.

Installation

The sestatus command is typically included by default in most Linux distributions that use SELinux. However, in some minimal installation environments, additional package installation may be required. It is usually part of the `policycoreutils` or `libselinux-utils` package.

Debian/Ubuntu Based Systems

sudo apt update && sudo apt install selinux-utils

Installs the `selinux-utils` package, which includes the `sestatus` command, on Debian or Ubuntu-based systems.

RHEL/CentOS/Fedora Based Systems

sudo dnf install policycoreutils

Installs the `policycoreutils` package, which includes the `sestatus` command, on RHEL, CentOS, and Fedora-based systems.

Tips & Notes

Tips to help you understand and manage SELinux policies based on the information obtained from the sestatus command.

Interpreting Output

Explanation of the two most important items in the sestatus output.

  • SELinux status: `enabled` means SELinux is active, and `disabled` means it is inactive. When `disabled`, SELinux does not function at all.
  • Current mode: `enforcing` applies SELinux policies, blocking and logging all violations. `permissive` logs warnings for policy violations but does not block them. `disabled` means SELinux is not operating.

Checking Logs

If SELinux in `enforcing` mode causes issues, you can check for SELinux-related denial messages in the `/var/log/audit/audit.log` file or using the `journalctl -t audit` command to identify the cause of the problem. These logs provide crucial clues about which process attempted to access which resource when a policy violation occurred.

Same category commands

acl

ACL: Access Control List Management

anacron

anacron: Run periodic commands when the system is not running

ansible

ansible: Remote Server Management and Automation

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide