SELinux (Security Enhanced Linux) is a security protocol for Linux administrators that allows them to acquire more control. The SELinux protocol allows them to enforce the resource policies that represents how much access a program or any user do have. This SELinux is supported by several commands that automates the task of an administrator. In this article, we would provide the explanation and execution of all basic SELinux commands that a regular user may need to know.
What are the basic commands of SELinux?
This section contains the most used and basic commands of SELinux. So, the primary step is to fire up the terminal and start executing these commands.
Check the status of SELinux
Although the SELinux is enabled by default, it is recommended to verify the status to avoid any inconvenience. If the service is disabled or stopped then it would not be possible to use this utility.
– sestatus
The sestatus command of SELinux provides detailed information about the status of SELinux. The command written below will check the status of SELinux.
As it is observed from the output that the SELinux is enabled.
$ sestatus
– getenforce
This command also provides the information about the status; however, its output is just one word and that can be either enforcing or permissive . The default state is enforcing which refers to enabled state and if the output returns permissive that means the service isn’t working. Type the following command to check its status.
Note : The permissive output shows that SELinux is enabled but not enforced by SELinux policy rules. However, enforcing means that SELinux rules are being followed.
$ getenforce
Change the status of SELinux
To change the status of the SELinux, you can exercise the setenforce command.
Note : It is to notice that the setenforce command manipulates the status temporarily. If you want to do it permanently, then you have to access the configuration file of SELinux to make permanent changes.
– setenforce
The setenforce command in SELinux accepts the value 0 or 1.Where 0 refers to permissive mode and 1 changes the current mode to permissive mode.
The command described below changes the status of SELinux to enforcing mode (but temporarily).
$ sudo setenforce 1
And you can change the status to Permissive with the help of following command.
$ sudo setenforce 0
Manage the SELinux Boolean(s)
The Boolean’s associated with SELinux can be managed by two commands. The getsebool command allows you to get all SELinux Boolean at once or one by one. And the setsebool command can be used to set the Boolean of an SELinux. The getsebool command in Linux can be used to get the Boolean associated with SELinux.
– getsebool
To get all the Boolean values in SELinux, the getsebool command is used with -a flag as provided below.
You will observe either on or off values:
$ getsebool -a 
However, you can get the value of a specific Boolean by specifying its name. The commands written below will get the value of one Boolean named allow_kerberos.
$ getsebool allow_kerberos
– setsebool
The setsebool command is used to sets the current state of SELinux Boolean to a given value. This command can also be applied on set of SELinux Boolean.
Let’s say we get the current state of allow_execmod by using getsebool command.
$ getsebool allow_execmod
And we change the current state off to on with the help of setsebool command as provided below.
$ sudo setsebool allow_execmod on
Or you can replace off and on keywords with 0 and 1 respectively to change the state of SELinux Boolean.
Note: Make sure to run setstatus, setsebool, semanage commands using root privileges.
Manage SELinux policy
The semanage command provide an extensive support to manage multiple operations in SELinux. This section contains the examples of few most used semanage commands.
– semanage user
You can list down the current SELinux users with the help of command written below.
$ sudo semanage user -l 
– semanage module
The SELinux modules are manipulated by using semanage module command of semanage tool. Firstly, get the list of modules by using the following command.
$ sudo semanage module -l
You can disable any module using -d flag of this semanage module. To do so, you have to follow the syntax mentioned here:
$ semanage module -d <module-name>To enable it again, the -e option as shown below.
$ semanage module -e <module-name>– semanage port
To get the list of ports of SELinux, the semanage command is used as shown below. The output contains three columns, the first displays the port type, the second column shows the protocol followed by each port and the last columns represents the port numbers.
$ sudo semanage port -l 
You can also create a new port as well. Like, the below-mentioned command adds up a new port with following values.
- port type is represented by t in the command and is assigned a value http_port_t
- The -p flag used here represents the protocol and is set to tcp
- And at the end, port number is specified and is set to 2222.
Whereas the -a flag is used here to direct the command to add new port.
$ sudo semanage port -a -t http_port_t -p tcp 2222
Bonus Tip
Here, we have a bonus tip for you that will surely assist you if you are using SELinux on regular basis. So, let’s get into it,
Change the status of SELinux permanently
In case, if you want to change the status of SELinux permanently then you have to access the config file of SELinux that is placed in /etc/selinux/config. The command written below opens the file in nano editor.
$ sudo nano /etc/selinux/config 
As the file is opened, you will observer a line <SELINUX=permissive>; you have to change the value and replace permissive with disabled or enforcing(whatever state you want). After performing the change, press “Ctrl+S” to save the changes and get out of file by pressing “Ctrl+X“.
To enforce the changes, you must reboot your system. After restart, the status will be turned as provided.
Conclusion
SELinux has extensive list of commands that eases the way of users to get a control over the accessibility of several apps/users. This article lists down the most important SELinux commands that you must need to know. The commands written here can be exercised for several purposes related to SELinux. Like from checking/changing the status of SELinux to manipulating the configuration settings.
TUTORIALS ON LINUX, PROGRAMMING & TECHNOLOGY
