selinux_config(5)

1selinux_config(5)         SELinux configuration file         selinux_config(5)
2
3
4

NAME

6       config - The SELinux sub-system configuration file.
7
8

DESCRIPTION

10       The SELinux config file controls the state of SELinux regarding:
11
12              1.  The  policy  enforcement  status  - enforcing, permissive or
13                  disabled.
14
15              2.  The policy name or type that forms a path to the  policy  to
16                  be loaded and its supporting configuration files.
17
18              3.  How  SELinux-aware  login  applications  should behave if no
19                  valid SELinux users are configured.
20
21              4.  Whether the system is to be relabeled or not.
22
23       The entries controlling these functions are described in the FILE  FOR‐
24       MAT section.
25
26       The  fully  qualified  path  name  of the SELinux configuration file is
27       /etc/selinux/config.
28
29       If the config file is missing or corrupt, then  no  SELinux  policy  is
30       loaded (i.e. SELinux is disabled).
31
32       The  sestatus  [22m(8) command and the libselinux function selinux_path (3)
33       will return the location of the config file.
34
35

FILE FORMAT

37       The config file supports the following parameters:
38
39              SELINUX = enforcing | permissive | disabled
40              SELINUXTYPE = policy_name
41              REQUIREUSERS = 0 | 1
42              AUTORELABEL = 0 | 1
43
44       Where:
45       SELINUX
46              This entry can contain one of three values:
47
48                     enforcing
49                         SELinux security policy is enforced.
50
51                     permissive
52                         SELinux security policy is not enforced but logs  the
53                         warnings (i.e. the action is allowed to proceed).
54
55                     disabled
56                         SELinux is disabled and no policy is loaded.
57
58              The  entry  can  be  determined using the sestatus(8) command or
59              selinux_getenforcemode(3).
60
61       SELINUXTYPE
62              The policy_name entry is used to identify the policy  type,  and
63              becomes  the directory name of where the policy and its configu‐
64              ration files are located.
65
66              The entry can be determined using  the  sestatus(8)  command  or
67              selinux_getpolicytype(3).
68
69              The policy_name is relative to a path that is defined within the
70              SELinux   subsystem   that   can   be   retrieved    by    using
71              selinux_path(3).  An  example entry retrieved by selinux_path(3)
72              is:
73                     /etc/selinux/
74
75              The policy_name is then appended to this and becomes the 'policy
76              root'   location   that   can   be   retrieved  by  selinux_pol‐
77              icy_root_path(3). An example entry retrieved is:
78                     /etc/selinux/targeted
79
80              The actual binary policy is located relative to  this  directory
81              and  also  has a policy name pre-allocated. This information can
82              be retrieved  using  selinux_binary_policy_path(3).  An  example
83              entry retrieved by selinux_binary_policy_path(3) is:
84                     /etc/selinux/targeted/policy/policy
85
86              The binary policy name has by convention the SELinux policy ver‐
87              sion that it supports appended to it. The maximum policy version
88              supported  by the kernel can be determined using the sestatus(8)
89              command or security_policyvers(3). An example binary policy file
90              with the version is:
91                     /etc/selinux/targeted/policy/policy.24
92
93       REQUIRESEUSERS
94              This  optional  entry can be used to fail a login if there is no
95              matching or default entry in  the  seusers(5)  file  or  if  the
96              seusers file is missing.
97
98              It  is  checked by getseuserbyname(3) that is called by SELinux-
99              aware login applications such as PAM(8).
100
101              If set to 0 or the entry missing:
102                     getseuserbyname(3) will return the GNU / Linux user  name
103                     as the SELinux user.
104
105              If set to 1:
106                     getseuserbyname(3) will fail.
107
108              The getseuserbyname(3) man page should be consulted for its use.
109              The format of the seusers file is shown in seusers(5).
110
111
112       AUTORELABEL
113              This is an optional entry that allows  the  file  system  to  be
114              relabeled.
115
116              If  set to 0 and there is a file called .autorelabel in the root
117              directory, then on a reboot, the loader will  drop  to  a  shell
118              where  a root login is required. An administrator can then manu‐
119              ally relabel the file system.
120
121              If set to 1 or no entry present (the default)  and  there  is  a
122              .autorelabel  file  in  the root directory, then the file system
123              will be automatically relabeled using fixfiles -F restore
124
125              In both cases the /.autorelabel file will  be  removed  so  that
126              relabeling is not done again.
127
128
129

EXAMPLE

131       This example config file shows the minimum contents for a system to run
132       SELinux in enforcing mode, with a policy_name of 'targeted':
133
134              SELINUX = enforcing
135              SELINUXTYPE = targeted
136
137

NAME

DESCRIPTION

FILE FORMAT

EXAMPLE

SEE ALSO