How to check SELinux status

Checking SELinux status confirms whether mandatory access control is actively protecting a system or silently turned off. A quick check avoids confusion when access is denied or allowed unexpectedly and helps align kernel enforcement with security policy expectations.

On Linux systems with SELinux enabled, the kernel consults a loaded policy to decide whether each operation is allowed. Commands such as getenforce and sestatus query this live state, while the /etc/selinux/config file defines the mode that applies when the system boots.

Runtime mode, boot-time configuration, and actual security labels can drift apart after changes or troubleshooting. Verifying all three in a controlled way avoids surprises after reboot and reduces the risk of accidentally operating with SELinux disabled on production systems.

Steps to check SELinux status:

Check the current SELinux enforcement mode from the running kernel.
```
$ getenforce
Enforcing
```
Command getenforce returns one of three values: Enforcing (policy rules are applied and violations are blocked), Permissive (policy rules are evaluated but only logged), or Disabled (SELinux is not active).

Display detailed SELinux status information for the running system.

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      33

Output from sestatus shows whether SELinux support is compiled into the kernel, which policy is loaded, and whether the current mode matches the mode requested in the configuration file.

Inspect the configured SELinux mode that will apply after the next reboot.
```
$ grep ^SELINUX= /etc/selinux/config
SELINUX=enforcing
```
Values in /etc/selinux/config determine the boot-time mode and typically use enforcing, permissive, or disabled; changing this file without proper planning can leave critical services unprotected or complicate recovery after reboot.
Verify that SELinux labels are present on running processes to confirm active policy enforcement when status reports enabled.
```
$ ps -eZ | head
LABEL                                  PID TTY          TIME CMD
system_u:system_r:init_t:s0             1 ?        00:00:03 systemd
system_u:system_r:kernel_t:s0           2 ?        00:00:00 kthreadd
##### snipped #####
```
Presence of security labels such as system_u:system_r:init_t:s0 indicates that the SELinux policy engine is labeling processes, which aligns with getenforce and sestatus reporting that enforcement is enabled.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.