Re: How to test if SELinux is 'running'

["Tom London" <selinux gmail com>]

On 10/11/07, Stephen Smalley <sds tycho nsa gov> wrote:
> On Thu, 2007-10-11 at 10:00 -0700, Tom London wrote:
> > What is the 'approved' method for determining if SELinux is 'running',
> > that is, active, and in either enforcing or permissive mode?
> >
> > If my feeble memory serves me, there used to be a 'isSELinux' or some
> > such, but I can't seem to find this anymore.
> >
> > I'd like to modify some scripts to work both with and without SELinux
> > active, e.g., vmware.  It is currently testing against the contents of
> > /selinux/enforce, but that does not seem right....
>
> What kind of scripts?  Python scripts can use the python bindings to
> libselinux to directly invoke is_selinux_enabled(),
> security_getenforce(), and/or selinux_getenforcemode().
>
> Shell scripts can execute selinuxenabled (as a boolean condition,
> exiting with 0 for true and 1 for false, just like /bin/true
> and /bin/false, for use in conditional statements - no output),
> getenforce (displaying the Enforcing/Permissive/Disabled status as
> output), or sestatus (displaying more information).
>
vmware, in particular, runs a shell script.

Here was the 'before' test:
   if [ "`cat /selinux/enforce 2> /dev/null`" = "1" ]; then

This had the (erroneous?) behavior of only executing the 'then' clause
if SELinux is active and in enforcing mode.  So permissive mode borks
this.

Here is how I changed it:
   if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then

Seems to work (I  booted w/ enforcing=0).....

Any chance that selinuxenabled would get installed someplace else?

tom
-- 
Tom London