# uname -r
2.6.23.1-49.fc8
Once we determined our currently running kernels' kernel-release, we can query the configuration file that was used to compile this kernel.
# grep -i selinux /boot/config-2.6.23.1-49.fc8
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
The config_security_selinux option is set to 'yes'. This means that SELinux support is compiled into this kernel. The config_security_selinux_disable option is also set to 'yes'. This means that SELinux is not enabled by default.
Or you could determine it the same way most people do: grep selinuxfs /proc/filesystems
To determine the current status of SELinux on our running system.
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Thanks to Method for letting me quote you in this article. You can view his blog here: http://securityblog.org/brindle/
2 opmerkingen:
Portuguese version of this post:
http://jczucco.blogspot.com/2007/11/como-verificar-se-o-seu-sistema-suporta.html
Actually, you had missed one thing, CONFIG_SECURITY_SELINUX_DISABLE is not about default SELinux mode. As mentioned in the kernel configuration help: This option enables writing to a selinuxfs node 'disable', which allows SELinux to be disabled at runtime prior to the policy load. That means, kernel will be "capable" to disable SELinux at runtime.
I know that config name is little bit confusing, however if you again look at prompt in kernel, you can see that it is about "NSA SELinux runtime disable".
You can also look at my blogpost about selinux:
http://eckucukoglu.com/linux/selinux-mode-configuration-details/
Een reactie posten