Today's article is about checking to see if SELinux is running.

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,150
Reaction score
5,521
Credits
49,577
Not all distros come with SELinux, but a bunch of 'em do. Those distros tend to be more enterprise-kinda-distros, but not exclusively.


Feedback is pretty awesome.
 


Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
4,514
Reaction score
3,941
Credits
25,363
Interesting.

Does it have a logical place in Linux Mint?...recommended ?....necessary ?

Why is it not installed as default?
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,150
Reaction score
5,521
Credits
49,577
You use AppArmor instead, I'm pretty sure. The two do similar things so I don't ever see them mixed together. You find SELinux in the RHEL family and AppArmor in the Ubuntu family - and, I'm pretty sure, derivatives of both.

Hmm... You can check your AppArmor status with 'aa-status', though you may want to use sudo for more information/access. That should at least spit out if it's active or not.
 

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
4,514
Reaction score
3,941
Credits
25,363
Apparently AppArmor is installed and "loaded'...22 profiles loaded, 20 of which are in enforce mode.

I did not know it was on the pc.

I note that SeLinux is available via the Software Manager (Linux Mint 20.3

AppArmot looks like:
[email protected]:~$ aa-status
apparmor module is loaded.
22 profiles are loaded.
20 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
/{,usr/}sbin/dhclient
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
[email protected]:~$

I also note that in this topic, special mention is made of SeLinux & AppArmor

Despite AppArmor being on this pc, it does not show up in Menu as an app
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,150
Reaction score
5,521
Credits
49,577
Despite AppArmor being on this pc, it does not show up in Menu as an app

I don't think it's supposed to. It's terminal only. Though, I guess you can edit profiles with a plain text editor. But, it's not supposed to appear in the menu.

I also note that in this topic, special mention is made of SeLinux & AppArmor

I'm not sure that that's a beneficial step for OP to take in that thread, but it won't harm anything so long as they turn 'em back on. Even then, you can run without either. As is evidenced by:

This is what I get. (snipped)

LOL You're quite likely using a distro without either. They do exist. You don't find them in like Puppy (as I recall) or other similar distros. You can probably install one or the other.
 

craigevil

Well-Known Member
Joined
Feb 24, 2021
Messages
361
Reaction score
362
Credits
2,494
Neither on Raspberry PI OS, although Apparmor is in the kernel and can be easily enabled.
By doing:
Add lsm=apparmor to /boot/cmdline.txt
 

Bartman

Well-Known Member
Joined
Mar 14, 2022
Messages
272
Reaction score
267
Credits
1,931
This is what I get.

Code:
[[email protected] ~]$ getenforce
bash: getenforce: command not found

[[email protected] ~]$ sestatus
bash: sestatus: command not found

[[email protected] ~]$ aa-status
bash: aa-status: command not found
LOL You're quite likely using a distro without either. They do exist. You don't find them in like Puppy (as I recall) or other similar distros. You can probably install one or the other.
The distro I ran the commands in is PC Linux OS.

I'll run the commands on some other Linux computers and see what they show.

Some commands don't work in PC Linux OS.
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,618
Reaction score
3,325
Credits
33,512
Selinux is usually only installed by default on Rhel based systems and Fedora.
 

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
4,514
Reaction score
3,941
Credits
25,363

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,618
Reaction score
3,325
Credits
33,512
Why only on those ?
Because redhat likes selinux and has been working on making selinux work better with their systems, you can install selinux on other distributions but it's going to give less of a good experience and you will run into things if you don't know what you are looking for or doing.
 

Bartman

Well-Known Member
Joined
Mar 14, 2022
Messages
272
Reaction score
267
Credits
1,931
The only time I ever remember installing selinux was when I used UNetbooten which required selinux and extlinux.

That was many years ago when I fisrt started using Linux.
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,150
Reaction score
5,521
Credits
49,577
Selinux is usually only installed by default on Rhel based systems and Fedora.

Ha! That's what i said - but your explanation was stuff I didn't really know.

The only time I ever remember installing selinux was when I used UNetbooten which required selinux and extlinux.

Hmm... Now that's strange. I'm not sure why that'd be a dependency. Maybe because it has a small Linux image on it for booting purposes?
 

Bartman

Well-Known Member
Joined
Mar 14, 2022
Messages
272
Reaction score
267
Credits
1,931
Ha! That's what i said - but your explanation was stuff I didn't really know.
I ain't the best when it comes to explaining stuff where I have to write it out on paper or a forum post.

I'm a sit down and talk to you type when it comes down explaining stuff.

So my fault on my explanation.
Hmm... Now that's strange. I'm not sure why that'd be a dependency. Maybe because it has a small Linux image on it for booting purposes?
Whatever I was using at the time Lubuntu or Linux Mint and were talking back in 2015 those items weren't installed by default.
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,150
Reaction score
5,521
Credits
49,577
I ain't the best when it comes to explaining stuff where I have to write it out on paper or a forum post.

LOL I was referring to f33dm3bits, but it's all good.

Whatever I was using at the time Lubuntu or Linux Mint and were talking back in 2015 those items weren't installed by default.

Yeah, SELinux wouldn't have been installed. I'm just not sure why unetbootin needs it. The extlinux kinda makes sense - from the little I know of it. It's something to do with syslinux and probably required for the small Linux version that's a part of unetbootin.
 

Bartman

Well-Known Member
Joined
Mar 14, 2022
Messages
272
Reaction score
267
Credits
1,931
LOL I was referring to f33dm3bits, but it's all good.
Can't explain stuff and apparently can't see anymore either.

Damn old age sure does put a hurt on a body.
Yeah, SELinux wouldn't have been installed. I'm just not sure why unetbootin needs it. The extlinux kinda makes sense - from the little I know of it. It's something to do with syslinux and probably required for the small Linux version that's a part of unetbootin.
I have know idea and UNetbooten was good in it's day and probabliy still is but doesn't always work or hasn't for me.

I use Gnome Multi Writer or Balena Etcher or dd Copy depending on the distro I'm using at the time of need.
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,150
Reaction score
5,521
Credits
49,577
I use Gnome Multi Writer or Balena Etcher or dd Copy depending on the distro I'm using at the time of need.

I mostly use Balena Etcher. During testing phases, I use it at least once a day - to do a test on bare metal. (I do my other test, two a day, in a VM.)

Eh... I guess I mostly do three tests a day, but one isn't recorded. I have a VM that gets the daily ISO installed on it and I keep it upgraded via the update process. I make sure that works too, but it doesn't get recorded anywhere. It's mostly so that I can test against it when I spot a bug or for bug confirmation when I see someone else's bug.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Latest posts

Top