3.2. SELinux Commands

SELinux includes a variety of specialized commands for its administration and use.

3.2.1. chcon

chcon is used to label a file or files with a specified security context.

3.2.2. checkpolicy

checkpolicy is a tool used to compile policy sources into a binary policy file. Generally it is not called directly, but invoked by the policy's Makefile. See Section 4.4 for more details on compiling SELinux policy.

3.2.3. fixfiles

fixfiles can be used to relabel the entire filesystem based on the current policy, or to relabel a packaged application's files based on the information included in that application's rpm package.

The command touch /.autorelabel can also be used to relabel the entire filesystem upon the next reboot of the system.

3.2.4. getenforce

getenforce returns the current enforcement state of the SELinux system, either permissive or enforcing. The permissive state will log denials but not actually enforce them, which can be very useful during policy development. The normal production state should always be enforcing.

3.2.5. newrole

The newrole command is used to switch roles. Typically the command would be issued as newrole -r sysadm_r to transition to the sysadm_r role for system administration tasks.

3.2.6. restorecon

restorecon is used to relabel selected files back to their default context, as defined in the security policy.

3.2.7. run_init

Rather than starting daemons by running the appropriate script in /etc/init.d, you must use run_init and pass the script path and arguments on its command line. This is required to perform the proper security transitions so that the daemon runs under its proper security context.

3.2.8. sestatus

sestatus displays the current status of SELinux, including the status (either permissive or enforcing), policy version, and the settings of all policy booleans.

3.2.9. setenforce

setenforce is used to toggle the SELinux status between enforcing and permissive. Issue setenforce 0 to enter permissive mode, or setenforce 1 to enter enforcing mode.

3.2.10. setsebool

setsebool is used to toggle policy booleans on or off. See Section 4.5 for an explanation of policy booleans.

3.2.11. seuser

seuser is used to create, delete, and modify SELinux users and roles. These are not to be confused with normal Linux user accounts.