Today's article is about checking to see if SELinux is running.

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,498
Reaction score
9,993
Credits
95,326
Not all distros come with SELinux, but a bunch of 'em do. Those distros tend to be more enterprise-kinda-distros, but not exclusively.


Feedback is pretty awesome.
 


Interesting.

Does it have a logical place in Linux Mint?...recommended ?....necessary ?

Why is it not installed as default?
 
You use AppArmor instead, I'm pretty sure. The two do similar things so I don't ever see them mixed together. You find SELinux in the RHEL family and AppArmor in the Ubuntu family - and, I'm pretty sure, derivatives of both.

Hmm... You can check your AppArmor status with 'aa-status', though you may want to use sudo for more information/access. That should at least spit out if it's active or not.
 
Apparently AppArmor is installed and "loaded'...22 profiles loaded, 20 of which are in enforce mode.

I did not know it was on the pc.

I note that SeLinux is available via the Software Manager (Linux Mint 20.3

AppArmot looks like:
brian@brian-desktop:~$ aa-status
apparmor module is loaded.
22 profiles are loaded.
20 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
/{,usr/}sbin/dhclient
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
brian@brian-desktop:~$

I also note that in this topic, special mention is made of SeLinux & AppArmor

Despite AppArmor being on this pc, it does not show up in Menu as an app
 
This is what I get.

Code:
[pclinuxos@localhost ~]$ getenforce
bash: getenforce: command not found

[pclinuxos@localhost ~]$ sestatus
bash: sestatus: command not found

[pclinuxos@localhost ~]$ aa-status
bash: aa-status: command not found
 
Despite AppArmor being on this pc, it does not show up in Menu as an app

I don't think it's supposed to. It's terminal only. Though, I guess you can edit profiles with a plain text editor. But, it's not supposed to appear in the menu.

I also note that in this topic, special mention is made of SeLinux & AppArmor

I'm not sure that that's a beneficial step for OP to take in that thread, but it won't harm anything so long as they turn 'em back on. Even then, you can run without either. As is evidenced by:

This is what I get. (snipped)

LOL You're quite likely using a distro without either. They do exist. You don't find them in like Puppy (as I recall) or other similar distros. You can probably install one or the other.
 
Neither on Raspberry PI OS, although Apparmor is in the kernel and can be easily enabled.
By doing:
Add lsm=apparmor to /boot/cmdline.txt
 
This is what I get.

Code:
[pclinuxos@localhost ~]$ getenforce
bash: getenforce: command not found

[pclinuxos@localhost ~]$ sestatus
bash: sestatus: command not found

[pclinuxos@localhost ~]$ aa-status
bash: aa-status: command not found
LOL You're quite likely using a distro without either. They do exist. You don't find them in like Puppy (as I recall) or other similar distros. You can probably install one or the other.
The distro I ran the commands in is PC Linux OS.

I'll run the commands on some other Linux computers and see what they show.

Some commands don't work in PC Linux OS.
 
Selinux is usually only installed by default on Rhel based systems and Fedora.
 
Why only on those ?
Because redhat likes selinux and has been working on making selinux work better with their systems, you can install selinux on other distributions but it's going to give less of a good experience and you will run into things if you don't know what you are looking for or doing.
 
The only time I ever remember installing selinux was when I used UNetbooten which required selinux and extlinux.

That was many years ago when I fisrt started using Linux.
 
Selinux is usually only installed by default on Rhel based systems and Fedora.

Ha! That's what i said - but your explanation was stuff I didn't really know.

The only time I ever remember installing selinux was when I used UNetbooten which required selinux and extlinux.

Hmm... Now that's strange. I'm not sure why that'd be a dependency. Maybe because it has a small Linux image on it for booting purposes?
 
Ha! That's what i said - but your explanation was stuff I didn't really know.
I ain't the best when it comes to explaining stuff where I have to write it out on paper or a forum post.

I'm a sit down and talk to you type when it comes down explaining stuff.

So my fault on my explanation.
Hmm... Now that's strange. I'm not sure why that'd be a dependency. Maybe because it has a small Linux image on it for booting purposes?
Whatever I was using at the time Lubuntu or Linux Mint and were talking back in 2015 those items weren't installed by default.
 
I ain't the best when it comes to explaining stuff where I have to write it out on paper or a forum post.

LOL I was referring to f33dm3bits, but it's all good.

Whatever I was using at the time Lubuntu or Linux Mint and were talking back in 2015 those items weren't installed by default.

Yeah, SELinux wouldn't have been installed. I'm just not sure why unetbootin needs it. The extlinux kinda makes sense - from the little I know of it. It's something to do with syslinux and probably required for the small Linux version that's a part of unetbootin.
 
LOL I was referring to f33dm3bits, but it's all good.
Can't explain stuff and apparently can't see anymore either.

Damn old age sure does put a hurt on a body.
Yeah, SELinux wouldn't have been installed. I'm just not sure why unetbootin needs it. The extlinux kinda makes sense - from the little I know of it. It's something to do with syslinux and probably required for the small Linux version that's a part of unetbootin.
I have know idea and UNetbooten was good in it's day and probabliy still is but doesn't always work or hasn't for me.

I use Gnome Multi Writer or Balena Etcher or dd Copy depending on the distro I'm using at the time of need.
 
I use Gnome Multi Writer or Balena Etcher or dd Copy depending on the distro I'm using at the time of need.

I mostly use Balena Etcher. During testing phases, I use it at least once a day - to do a test on bare metal. (I do my other test, two a day, in a VM.)

Eh... I guess I mostly do three tests a day, but one isn't recorded. I have a VM that gets the daily ISO installed on it and I keep it upgraded via the update process. I make sure that works too, but it doesn't get recorded anywhere. It's mostly so that I can test against it when I spot a bug or for bug confirmation when I see someone else's bug.
 

Members online


Top