Understanding SELinux, Part 1

Enabling SELinux

Before beginning to explore SElinux, we need to enable it in the system. I use Red Hat Enterprise Linux 5 on my desktop, though the concepts and most of the commands would be the same on other flavours as well.

First, check whether SELinux is enabled on your system—as root, run the following command:

[root@vbg ~]# sestatus

If your output is:

SELinux status:              disabled

…then you will have to enable SELinux on your server, as it is currently disabled.

Else, SELinux should be enabled in your system and the output will state so. We will explore the meaning of this output in the next part of this series.

To enable SELinux, edit the /etc/sysconfig/selinux file. Initiate SELinux in ‘permissive’ mode:


And use the default targeted policy for SElinux rules:


Once you set these values, save the file and reboot your system.

File relabelling

Once you have enabled SELinux in your system, you will notice that on the next reboot, all files in your system will be labelled. Labelling for files is akin to applying Extended Attributes required by SELinux to your ext2/ext3 filesystem. This process may take some time, so be patient and let the complete reboot occur.

Checking Security Contexts

Upon reboot, log in to your shell and issue the ls command. Did you see any extended attributes? I doubt it. To see the Security Context of files and directories, use ls -Z. You will see an output similar to the one below, containing the extended attributes:

[vbg@vbg selinux]$ ls -lZ
-rw-rw-r-- vbg vbg user_u:object_r:user_home_t:s0 scratch-pad
-rw-rw-r-- vbg vbg user_u:object_r:user_home_t:s0 series-definition
-rw-rw-r-- vbg vbg user_u:object_r:user_home_t:s0 series-of-articles
-rw-rw-r-- vbg vbg user_u:object_r:user_home_t:s0 The-Art-Of-Guard.vbg

You can now see the Security Context of all files/folders in your system. In the above snippet, for the file scratch-pad, the DAC related attributes are: owner (vbg), group (vbg), and permissions (664); while the MAC related Extended Attributes (xattrs) that define the Security Context are: user_u:object_r:user_home_t:s0. The fourth attribute in the Security Context defines the sensitivity. We will discuss this fourth attribute in the later part of the series.

To check the ID of the logged in user, issue the command id -Z:

[vbg@vbg selinux]$ id -Z

The id command also gives the UID/GID of the user:

[vbg@vbg selinux]$ id
uid=500(vbg) gid=500(vbg) groups=500(vbg) context=user_u:system_r:unconfined_t:s0

To see a list of processes (subjects) with their security contexts, issue the ps auxZ command:

[vbg@vbg selinux]$ ps auxZ
user_u:system_r:unconfined_t:s0  3543 ?        Ss     0:01 /usr/bin/perl -T -w /usr/bin/spamd --socketpath /home/vbg/.evolu
user_u:system_r:unconfined_t:s0  3546 ?        S      0:02 spamd child
user_u:system_r:unconfined_t:s0  3730 pts/3    Ss     0:00 /bin/bash
user_u:system_r:unconfined_t:s0  3760 ?        S      0:00 knotify [kdeinit]
user_u:system_r:unconfined_t:s0  3762 pts/3    S+     0:02 vim The-Art-Of-Guard.vbg
user_u:system_r:httpd_t:s0      root      4227 41.0  1.4  42376 29216 pts/2    R+   14:46   0:01 /usr/sbin/httpd

Please note that each process has been assigned a Security Context. Do also note the type assigned to these subjects.

Try out the above introductory commands in SELinux. Explore… there is a wealth of information available on SELinux on the Web. Do not enforce a Strict Policy while you are not too sure about SELinux Policies, which we will cover in detail in the coming issues. If you end up in a state that your system will not boot satisfactorily or if you would simply like to disable SELinux at boot time, press e on your Grub screen to edit the boot sequence when rebooting. Edit the default kernel booting parameters by appending selinux=0 at the end of the line and continue to boot. This will temporarily disable SELinux and you will be back to traditional DAC security.

Pages: 1 2 3


  1. shekhar sharma says:

    its amazing thanks for providing such a information………..

  2. Pawan says:

    Hi Sir,

    Thanks for such a great article,

    just to add on

    Selinux could also be enabled using file in ll /etc/selinux/config, the content of the file look similar to the /etc/sysconfig/selinux

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    # enforcing – SELinux security policy is enforced.
    # permissive – SELinux prints warnings instead of enforcing.
    # disabled – No SELinux policy is loaded.
    # SELINUXTYPE= can take one of these two values:
    # targeted – Targeted processes are protected,
    # minimum – Modification of targeted policy. Only selected processes are protected.
    # mls – Multi Level Security protection.

    However enabling SELINUX using this need a reload of the kernel and would not take effect until a reboot (Corrections are welcome)

    We could enable the selinux on the fly by amending files in its /proc like system, It may vary from distribution to distribution, the best way to find it

    [pawan@localhost PAWAN]$ sestatus
    SELinux status: enabled

    *** SELinuxfs mount: /sys/fs/selinux ****

    SELinux root directory: /etc/selinux
    Loaded policy name: targeted
    Current mode: enforcing
    Mode from config file: disabled
    Policy MLS status: enabled
    Policy deny_unknown status: allowed
    Max kernel policy version: 28

    The one highlighted with **** is the area of interest

    if you do a

    [pawan@localhost PAWAN]$ ll /sys/fs/selinux

    -rw-r–r–. 1 root root 0 Oct 1 09:59 enforce
    –w——-. 1 root root 0 Oct 1 09:59 disable

    You will a lot of file and dir, my area of interest is the enforce file

    just do

    [pawan@localhost PAWAN]$ sudo echo 1 > /sys/fs/selinux/enforce

    you need be root or need to elevate your privileges

    you are done it will do the trick, SELINUX is enabled to enforcing mode.


  1. Starting with Linux - [...] visit, or staying away from bad guys. And if you really got paranoid, you could lock yourself in a …

Leave a Reply

Your email address will not be published. Required fields are marked *