How to check SELinux status

Checking SELinux status confirms whether mandatory access control is actively protecting a system or silently turned off. A quick check avoids confusion when access is denied or allowed unexpectedly and helps align kernel enforcement with security policy expectations.

On Linux systems with SELinux enabled, the kernel consults a loaded policy to decide whether each operation is allowed. Commands such as getenforce and sestatus query this live state, while the /etc/selinux/config file defines the mode that applies when the system boots.

Runtime mode, boot-time configuration, and actual security labels can drift apart after changes or troubleshooting. Verifying all three in a controlled way avoids surprises after reboot and reduces the risk of accidentally operating with SELinux disabled on production systems.

Steps to check SELinux status:

Check the current SELinux enforcement mode from the running kernel.
```
$ getenforce
Disabled
```
Command getenforce returns one of three values: Enforcing (policy rules are applied and violations are blocked), Permissive (policy rules are evaluated but only logged), or Disabled (SELinux is not active).
Display detailed SELinux status information for the running system.
```
$ sestatus
SELinux status:                 disabled
```
Output from sestatus shows whether SELinux support is compiled into the kernel, which policy is loaded, and whether the current mode matches the mode requested in the configuration file.
Inspect the configured SELinux mode that will apply after the next reboot.
```
$ grep ^SELINUX= /etc/selinux/config
SELINUX=permissive
```
Values in /etc/selinux/config determine the boot-time mode and typically use enforcing, permissive, or disabled; changing this file without proper planning can leave critical services unprotected or complicate recovery after reboot.

Verify that SELinux labels are present on running processes to confirm active policy enforcement when status reports enabled.

$ ps -eZ | head
LABEL                             PID TTY          TIME CMD
-                                   1 ?        00:00:05 systemd
-                                  23 ?        00:00:00 systemd-journal
-                                 171 ?        00:00:02 dbus-daemon
-                                1426 ?        00:00:03 systemd-timesyn
-                                3365 ?        00:00:00 rsyslogd
-                                3846 ?        00:00:00 sshd
-                                7319 ?        00:00:00 cron
-                               15262 ?        00:00:00 systemd-logind
-                               21562 ?        00:00:00 tinyproxy

Presence of security labels such as system_u:system_r:init_t:s0 indicates that the SELinux policy engine is labeling processes, which aligns with getenforce and sestatus reporting that enforcement is enabled.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.