How do I tell if SELinux is working?

Stephen Smalley sds at
Thu Jun 23 12:29:07 UTC 2005

On Wed, 2005-06-22 at 17:41 -0400, Jon August wrote:
> I updated the policy after I found that there was a bug with starting  
> DHCP and since then I haven't had any issues getting things to work.   
> Things like a CGI script running sendmail to send an email - which  
> used to show up in the audit log, now work fine.
> What can I do to see if SELinux is still paying attention?

In addition to what others have said, /usr/sbin/sestatus is a tool for
checking the status of SELinux.  sestatus -v also provides further
information based on the contents of /etc/sestatus.conf, so you can
configure it to check the contexts of specific processes and program
files.  Might want to add httpd to that list.  sestatus was contributed
by the Hardened Gentoo folks, specifically Chris PeBenito.

BTW, I've noticed that FC4 systems seem to be losing the type
on /etc/shadow, likely when firstboot creates the first user account.  I
then have to manually restorecon /etc/shadow, because the patched
libraries and utilities are coded to just preserve whatever context is
on the file when they update it, so if the context is ever wrong, it
will remain wrong for subsequent updates.  Possibly they should be using
matchpathcon() instead.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list