Commands.page Logo

How to Check SELinux or AppArmor Context in Ubuntu

This article explains the specific commands used to view security contexts on Linux systems, focusing on the Ubuntu distribution. It clarifies the differences between SELinux and AppArmor implementations and provides the exact terminal instructions needed to inspect file security labels or profile statuses.

Understanding Ubuntu Security Modules

Ubuntu uses AppArmor by default instead of SELinux. This distinction is critical because the two security modules handle file contexts differently. SELinux assigns security labels to files, while AppArmor restricts programs based on file paths. Consequently, the command to view context depends on which security module is active on your system.

Command for SELinux Context

If you have installed and enabled SELinux on your Ubuntu system, you can view the security context of a file using the ls command with the -Z flag. Execute the following command in your terminal:

ls -Z /path/to/file

This output displays the user, role, type, and level associated with the specified file. This method only works if SELinux is actively enforcing policies on the system.

Command for AppArmor Status

Since AppArmor is the default security module for Ubuntu, you will likely use this tool. AppArmor does not label individual files with contexts like SELinux. Instead, it loads profiles that define access rules for applications. To view the status of loaded AppArmor profiles and see which processes are confined, use the following command:

sudo aa-status

While there is no direct command to show an AppArmor context on a specific file, you can verify if a running process is confined by a specific profile by checking the process attributes. Use this command replacing <pid> with the process ID:

cat /proc/<pid>/attr/current

Summary of Commands

For most Ubuntu users, AppArmor is the active security system. Use sudo aa-status to manage and view profiles. If you are managing a specialized Ubuntu setup with SELinux enabled, use ls -Z to inspect file labels. Always verify which security module is active before attempting to query security contexts.