# SELinux: how can I check if it's correctly working?

## malnati

I installed SELinux (strict policy) in a Gentoo stage3 (Linux kernel version 2.6.24) following the handbook's instruction http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml

How can I check if it's correctly working? I can still access to that machine using ssh, even if not explicitly allowed!

```

Minimal / # sestatus -v

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   enforcing

Mode from config file:          enforcing

Policy version:                 21

Policy from config file:        strict

Process contexts:

Current context:                root:staff_r:staff_t

Init context:                   unknown (Permission denied)

File contexts:

Controlling term:               root:object_r:staff_devpts_t

/bin/login                      system_u:object_r:login_exec_t

/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t

/etc/passwd                     system_u:object_r:etc_t

/bin/sh                         system_u:object_r:bin_t -> system_u:object_r:shell_exec_t

/bin/bash                       system_u:object_r:shell_exec_t

/usr/bin/newrole                system_u:object_r:newrole_exec_t

/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:object_r:lib_t

/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:object_r:ld_so_t

```

This is the output of getsebool:

```

Minimal / # getsebool -a   

allow_execheap --> off

allow_execmem --> off

allow_execmod --> off

allow_execstack --> off

allow_mount_anyfile --> off

allow_polyinstantiation --> off

allow_ptrace --> off

allow_rsync_anon_write --> off

allow_ssh_keysign --> off

allow_user_mysql_connect --> off

allow_user_postgresql_connect --> off

allow_ypbind --> off

cron_can_relabel --> off

fcron_crond --> off

global_ssp --> off

init_upstart --> off

mail_read_content --> off

nfs_export_all_ro --> off

nfs_export_all_rw --> off

read_default_t --> off

read_untrusted_content --> off

rsync_export_all_ro --> off

secure_mode --> off

secure_mode_insmod --> off

secure_mode_policyload --> off

ssh_sysadm_login --> off

use_nfs_home_dirs --> off

use_samba_home_dirs --> off

user_direct_mouse --> off

user_dmesg --> off

user_ping --> off

user_rw_noexattrfile --> off

user_tcp_server --> off

user_ttyfile_stat --> off

write_untrusted_content --> off

```

What kind of test can I do to check the correct behavior of the MAC implementation?

----------

