On 10/11/07, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Thu, 2007-10-11 at 10:00 -0700, Tom London wrote: > > What is the 'approved' method for determining if SELinux is 'running', > > that is, active, and in either enforcing or permissive mode? > > > > If my feeble memory serves me, there used to be a 'isSELinux' or some > > such, but I can't seem to find this anymore. > > > > I'd like to modify some scripts to work both with and without SELinux > > active, e.g., vmware. It is currently testing against the contents of > > /selinux/enforce, but that does not seem right.... > > What kind of scripts? Python scripts can use the python bindings to > libselinux to directly invoke is_selinux_enabled(), > security_getenforce(), and/or selinux_getenforcemode(). > > Shell scripts can execute selinuxenabled (as a boolean condition, > exiting with 0 for true and 1 for false, just like /bin/true > and /bin/false, for use in conditional statements - no output), > getenforce (displaying the Enforcing/Permissive/Disabled status as > output), or sestatus (displaying more information). > vmware, in particular, runs a shell script. Here was the 'before' test: if [ "`cat /selinux/enforce 2> /dev/null`" = "1" ]; then This had the (erroneous?) behavior of only executing the 'then' clause if SELinux is active and in enforcing mode. So permissive mode borks this. Here is how I changed it: if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then Seems to work (I booted w/ enforcing=0)..... Any chance that selinuxenabled would get installed someplace else? tom -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
