secon Command in Linux
SELinux (Security-Enhanced Linux) is a security module that controls access to system resources using strict rules. It is usually enabled by default on Red Hat-based distributions like RHEL, CentOS, Fedora, and Rocky Linux. SELinux enforces Mandatory Access Control (MAC) policies, which limit what users and processes can do, adding an extra layer of security.
The secon command helps retrieve security details about files, processes, and the system, making it easier to manage SELinux contexts. In this tutorial, we will explain how to enable SELinux, install the secon command, and use it effectively with practical examples to enhance system security.
Table of Contents
Here is a comprehensive guide to the options available with the secon command −
- How to Enable SELinux in Linux?
- Installing secon Command
- How to Use secon Command in Linux?
- Examples of secon Command in Linux
How to Enable SELinux in Linux?
SELinux (Security-Enhanced Linux) is enabled by default on many Linux distributions, especially Red Hat-based ones like RHEL, CentOS, Fedora, and Rocky Linux. It enforces Mandatory Access Control (MAC) policies to restrict system access and enhance security. You can check if SELinux is enabled on your system using −
getenforce
If it returns "Enforcing", SELinux is active. However, if getenforce returns "Disabled", it means SELinux is completely turned off on your system −
To enable SELinux, you need to edit the configuration file −
sudo nano /etc/selinux/config
The config file shows SELinux is set to Permissive mode, where it logs policy violations but does not enforce restrictions. This is useful for debugging because it allows all actions while still reporting potential policy violations −
If getenforce still returns Disabled, it likely means SELinux was disabled at boot. To fully enable it change “SELINUX=permissive†to “SELINUX=enforcing†−
Now save the changes and reboot the system for changes to take effect. After this, you can run the “getenforce†command to verify the SELinux status.
Installing secon Command
The secon command belongs to the policycoreutils package, which is commonly used in SELinux-enabled systems. You can install secon by installing policycoreutils on your system. Run the following command to install secon on Debian / Ubuntu −
sudo apt install policycoreutils
Similarly, you can install secon on RHEL/CentOS/Fedora or Arch Linux using the following commands −
# installing secon on RHEL/CentOS/Fedora sudo dnf install policycoreutils sudo yum install policycoreutils # installing secon on Arch Linux sudo pacman -S policycoreutils
After installation, you can confirm the command’s availability on your system using the command below −
secon --version
How to Use secon Command in Linux?
The secon command retrieves and displays security context information in SELinux. You can use different options to extract specific details, such as user, role, type, sensitivity, and clearance levels −
secon [OPTIONS] [CONTEXT] secon --file FILE secon --link FILE secon --pid PID
Here,
- The --file option retrieves the security context of a specified file.
- The --link option does the same but does not follow symbolic links.
- The --pid option fetches the security context of a specific process by its Process ID (PID).
| Option | Description |
|---|---|
| -V, --version | Displays the installed version of the secon command. |
| -h, --help | Provides a list of available options and their usage details. |
| -P, --prompt | Formats the output to be suitable for use in command-line prompts. |
| -u, --user | Extracts and displays the user identity associated with the security context. |
| -r, --role | Retrieves and prints the role assigned within the security context. |
| -t, --type | Displays the type classification from the security context. |
| -s, --sensitivity | Shows the sensitivity level assigned in the security context, often used in Multi-Level Security (MLS) environments. |
| -c, --clearance | Displays the clearance level, indicating the highest classification level the process can access. |
| -m, --mls-range | Shows both the sensitivity and clearance levels as a range, providing a broader classification scope. |
| -R, --raw | Outputs the sensitivity and clearance levels in their original, untranslated format without simplification. |
| -f, --file FILE | Retrieves and displays the security context associated with a specified file. |
| -L, --link FILE | Similar to -f, but it retrieves the context without following symbolic links. |
| -p, --pid PID | Fetches the security context of a process identified by its PID (Process ID). |
| --pid-exec PID | Retrieves the security context specifically for the execution of a process identified by its PID. |
| --pid-fs PID | Fetches the filesystem creation security context of the specified process. |
| --current, --self | Retrieves and displays the security context of the currently running process. |
| --current-exec, --self-exec | Retrieves the execution security context of the current process. |
| --current-fs, --self-fs | Fetches the filesystem creation security context for the current process. |
| --parent | Retrieves the security context of the parent process (the process that started the current one). |
| --parent-exec | Fetches the execution security context of the parent process. |
| --parent-fs | Retrieves the filesystem creation security context of the parent process. |
If no specific option is provided, secon automatically attempts to retrieve the security context from standard input. If standard input is not available or is a terminal, it defaults to fetching the context of the current process.
Additionally, if none of the --user, --role, --type, --level, or --mls-range options are specified, secon will display all of them by default.
For more details, refer to the command's official manual page −
man secon
Alternatively, you can access a command’s help page to get precise information about its options and usage −
secon --help
Examples of secon Command in Linux
Let’s go through the following examples to learn how the secon command work in Linux −
- Check the Security Context of the Current Process
- Get the Security Context of a File
- Fetch the Security Context of a Process by PID
- Display User, Role, and Type Separately
- Check the Execution Security Context of the Current Process
Check the Security Context of the Current Process
Use the secon command with the --current option to get the security context of the current running process −
secon --current
It retrieves information like display user identity, role, and type.
Get the Security Context of a File
You can use the --file option to check the security context of a specific file, such as “/etc/passwd†−
secon --file /etc/passwd
If you want to check symbolic links, use the --link option −
secon --link /etc/passwd
Fetch the Security Context of a Process by PID
You can check the security context of a running process by specifying its PID −
secon --pid 1212
Replace 1212 with the actual process ID.
Display User, Role, and Type Separately
If you want only specific SELinux context details, such as the role or type, you can use the corresponding option such as --user to get user details, --role to retrieve role details, etc. −
secon --user secon --role secon --type
Check the Execution Security Context of the Current Process
If you need to check the execution context of the current process, use the --current-exec option with the secon command −
secon --current-exec
Similarly, you can use other available options to retrieve specific SELinux security context details based on your needs.
Conclusion
SELinux provides an essential security layer by enforcing strict access control policies, helping to protect Linux systems from unauthorized actions. The secon command simplifies managing and inspecting SELinux contexts by allowing users to retrieve specific security details about files, processes, and the system.