The “sestatus” Command in Linux [4 Practical Examples]

The sestatus command in Linux shows the information on SELinux (Security-Enhanced Linux). SELinux is a Linux kernel security module that allows an administrator to have more control over processes, applications, and files on a system. Thus an administrator can easily control who can access the system. SELinux enforces a security policy that defines access to different system objects. The information, provided by the sestatus command in Linux, contains SELinux status, mode, process context, file context etc. In this article, I will show how to install and use the sestatus command in Linux with some practical examples.

A. Description

SELinux was first developed by NSA (U.S. National Security Agency). Now it is integrated with the kernel of some popular distributions (RHEL for instance). SELinux enforces security policies which are nothing but a set of rules. Those rules define which can or can’t be accessed. And by the sestatus command in Linux, anyone can view information regarding SELinux which can help him to solve any issue and check whether SELinux is working correctly.

B. Syntax

The sestatus command in Linux doesn’t take any argument. Its syntax goes like following:

sestatus [OPTION]...
Note: The OPTION in the square brackets (“[]”), followed by three dots, denotes that you can provide multiple options at the same time.

C. Options

The sestatus command in Linux doesn’t have a lot options. You can check the options by using the command below:

man sestatus

Here I will list the options available in the sestatus command in Linux below:

Useful Options

  • -v, enables verbose mode.
  • -b, shows policy booleans.
Note: The options in Linux CLI(Command Line Interface) are all case-sensitive, so you should be careful while using them.

Install and Enable SELinux in Ubuntu

SELinux doesn’t come in Ubuntu by default. Ubuntu uses its own mandatory access control system (MAC) which is called AppArmor. However, you can install and enable SELinux manually.

Warning: Enabling SELinux may harm your system, even break it!! So proceed very cautiously.

Now to install and enable SELinux in your Ubuntu, do the following:

❶ At first, launch an Ubuntu Terminal.

❷ Paste the following command in the Terminal to install SELinux and hit ENTER:

sudo apt-get install selinux-basics
Note: If this step doesn’t work, try updating your system first by the following command and follow step 2 again:
sudo apt-get update

❸ Provide a password if necessary and press ENTER again.

You will get an output like this. If you see the “Do you want to continue” message, type “Y” from the keyboard. The installation time may vary depending on your internet speed.Installing SELinux❹ Now to activate SELinux, insert the command below and press ENTER:

sudo selinux-activate

At first, you will see “Activating SE Linux”. Give it some time. Finally, you will see “SE Linux is activated. You may need to reboot now.Activiting SELinuxReboot your system by executing the following command:

sudo reboot

After pressing ENTER, your system will be restarted and SELinux policies will start to take effect. However, you won’t be able to check its status. You will need the sestatus command for that, which you will install in the next part.

Install the “sestatus” Command in Linux

Now I will install the sestatus command in Linux. It is a simple three-step process. To install the sestatus command, follow the steps below:

❶ Open a Terminal in Ubuntu at first.

❷ Write the following command in the command prompt:

sudo apt-get install policycoreutils

❸ Now go press the ENTER key from your keyboard.

You should get an output like this. The installation process will be completed within a short time.Installing the sestatus command in Linux

Practical Examples of the “sestatus” Command in Linux

In this section, I will provide some practical examples of the sestatus command in Linux. Also, you will learn how to use options in the sestatus command.

Example 1: Check SELinux Status Using the “sestatus” Command in Linux

At the beginning, I will check the SELinux status. This way you can see whether SELinux is enabled or not and its current mode. To check SELinux status, follow the steps below:

Steps to Follow >

➊ First, press CTRL + ALT + T, to open an Ubuntu Terminal.

➋ Then, type the following command in the command prompt:

sestatus

➌ Now, press the ENTER button.

Output >

As you can see, SELinux is enabled in my system and the current mode is permissive. It is also showing information on the SELinux mount, root directory, policy name, policy version etc.Using the sestatus command in Linux


Similar Readings


Example 2: Enable Verbose Mode

If you want to get more detailed information, then you need to enable verbose mode in the sestatus command in Linux. The sestatus command provides an option -v” for that purpose. To enable verbose mode, do the following:

Steps to Follow >

➊ Atfirst, launch a Terminal in Ubuntu first.

➋ Then, copy the following command to enable verbose mode:

sestatus -v

➌ Now, hit the ENTER key on your keyboard.

Output >

The beginning of the output is similar to Example 1. However, there is additional information here. Process context defines the security and permissions of a process. It has four components- User Identity, Role, Type and Level. Moreover, file context denotes the security and permissions of a file. It has four components as well- User Identity, Role, Type and Level.

A. Process context

  • User Identity: Users and groups associated with a process.
  • Role: Denotes whether a process is an application or a system process.
  • Type: Defines security attributes like it has access to what kind of files, directories, network connection etc.
  • Level: Denotes the level of sensitivity of a process.

B. File context

  • User Identity: Users and groups associated with a file.
  • Role: Denotes whether a file is a userlever or system object.
  • Type: Defines attributes and permissions associated with a file
  • Level: Denotes the level of sensitivity of a process.

For instance, in the output, there is a process context named “Init context” and it goes like following:

system_u:system_r:init_t:s0

Here, “system_u” is User Identity, “system_r” is the Role, “init_r” is Type, and “s0” is the Level.

Moreover, there is a file context named “/etc/passwdfile context and it goes like the following:

system_u:object_r:etc_t:s0

Here, “system_u” is User Identity, “object_r” is Role, “etc_t” is Type, and  “s0” denotes Level.Verbose mode in the sestatus command in Linux

Example 3: Check Current Status in Booleans Using the “sestatus” Command in Linux

The sestatus command in Linux has an option -b” and it shows “Policy booleans”. Policy booleans are some variables in simple on or off form which is used to change the SELinux policies. There are quite manageable and a system administrator can customize the SELinux policies very easily. Now to check the status in booleans, do the following:

Steps to Follow >

➊ First, open a Terminal in Ubuntu.

➋ Then, insert the following command in the Terminal:

sestatus -b

➌ Finally, find the ENTER button on your keyboard and hit it.

Output >

The first part of the output is similar to Example 1. However, in the next part,  there is a long list of all the policy booleans. You need to scroll down to see them all. I only posted the first image here.Boolean output in the sestatus command in Linux

Example 4: Disable SELinux in Ubuntu

SELinux has is three modesenforcing, permissive, and disabled. Enforcing mode enforces all the security policies of SELinux and every application and process are required to follow int. However, if your system has another access control system, you can’t enable enforcing mode. For instance, Ubuntu has AppArmor installed by default. If you try to enforce SELinux policies it will harm your system. The permissive mode doesn’t enforce SELinux policies but it keeps track of all the policy violations. It is useful for troubleshooting and testing. And the disabled mode completely disables SELinux in a system. In this example, I will disable SELinux in Ubuntu.

Warning: Don’t try to enable enforcing mode in Ubuntu without total precaution.

To disable SELinux, follow the steps below:

Steps to Follow >

➊ First, go to your Ubuntu and open a Terminal.

➋ Copy the following command in the command prompt to open SELinux config file and hit ENTER:

sudo nano /etc/selinux/config

➌ Then, Edit the file like the below:

SELINUX=disabled

❹ Now, press CTRL + O and ENTER to save and CTRL + X to exit.

❺ Finally, insert the following command to reboot and press ENTER:

sudo reboot

Output >

I provided two images to help you with the process. The first image shows opening the config file and rebooting the system.Opening SELinux config fileThis image shows the editing of the config file.Editing SELinux config fileFinally, I executed the following command to check whether SELinux is disabled or not:

sestatus

See, “SELinux status” is showing “disabled”. If you want to go to the permissive mode. Follow all the steps from here. But you need to put “permissive” in place of “disabled”.Showing status of SELinux

Conclusion

The sestatus command in Linux is pretty hard to grasp if you don’t have any prior knowledge of SELinux. In this article, I have tried to build a basic foundation on the sestatus and SELinux. Hopefully, it has helped you.


Similar Readings

5/5 - (2 votes)
LINUX
FUNDAMENTALS
A Complete Guide for Beginners Enroll Course Now
icon linux
Walid Al Asad

Hello Everyone! I am Walid Al Asad. Currently, I am working at a tech company named Softeko as a Linux Content Developer Executive. I live in Dhaka, Bangladesh. I have completed my BSc. in Mechanical Engineering from Bangladesh University of Engineering and Technology (BUET). You can find me on LinkedIn, and ResearchGate. Read Full Bio

Leave a Comment