1selinux_config(5) SELinux configuration file selinux_config(5)
2
3
4
6 config - The SELinux sub-system configuration file.
7
8
10 The SELinux config file controls the state of SELinux regarding:
11
12 1. The policy enforcement status - enforcing, permissive or
13 disabled.
14
15 2. The policy name or type that forms a path to the policy to
16 be loaded and its supporting configuration files.
17
18 3. How SELinux-aware login applications should behave if no
19 valid SELinux users are configured.
20
21 4. Whether the system is to be relabeled or not.
22
23 The entries controlling these functions are described in the FILE FOR‐
24 MAT section.
25
26 The fully qualified path name of the SELinux configuration file is
27 /etc/selinux/config.
28
29 If the config file is missing or corrupt, then no SELinux policy is
30 loaded (i.e. SELinux is disabled).
31
32 The sestatus [22m(8) command and the libselinux function selinux_path (3)
33 will return the location of the config file.
34
35
37 The config file supports the following parameters:
38
39 SELINUX = enforcing | permissive | disabled
40 SELINUXTYPE = policy_name
41 REQUIRESEUSERS = 0 | 1
42 AUTORELABEL = 0 | 1
43
44 Where:
45 SELINUX
46 This entry can contain one of three values:
47
48 enforcing
49 SELinux security policy is enforced.
50
51 permissive
52 SELinux security policy is not enforced but logs the
53 warnings (i.e. the action is allowed to proceed).
54
55 disabled
56 No SELinux policy is loaded. This option was used to
57 disable SELinux completely, which is now deprecated.
58 Use the selinux=0 kernel boot option instead (see
59 selinux(8)).
60
61 The entry can be determined using the sestatus(8) command or
62 selinux_getenforcemode(3).
63
64 SELINUXTYPE
65 The policy_name entry is used to identify the policy type, and
66 becomes the directory name of where the policy and its configu‐
67 ration files are located.
68
69 The entry can be determined using the sestatus(8) command or
70 selinux_getpolicytype(3).
71
72 The policy_name is relative to a path that is defined within the
73 SELinux subsystem that can be retrieved by using
74 selinux_path(3). An example entry retrieved by selinux_path(3)
75 is:
76 /etc/selinux/
77
78 The policy_name is then appended to this and becomes the 'policy
79 root' location that can be retrieved by selinux_pol‐
80 icy_root_path(3). An example entry retrieved is:
81 /etc/selinux/targeted
82
83 The actual binary policy is located relative to this directory
84 and also has a policy name pre-allocated. This information can
85 be retrieved using selinux_binary_policy_path(3). An example en‐
86 try retrieved by selinux_binary_policy_path(3) is:
87 /etc/selinux/targeted/policy/policy
88
89 The binary policy name has by convention the SELinux policy ver‐
90 sion that it supports appended to it. The maximum policy version
91 supported by the kernel can be determined using the sestatus(8)
92 command or security_policyvers(3). An example binary policy file
93 with the version is:
94 /etc/selinux/targeted/policy/policy.24
95
96 REQUIRESEUSERS
97 This optional entry can be used to fail a login if there is no
98 matching or default entry in the seusers(5) file or if the
99 seusers file is missing.
100
101 It is checked by getseuserbyname(3) that is called by SELinux-
102 aware login applications such as PAM(8).
103
104 If set to 0 or the entry missing:
105 getseuserbyname(3) will return the GNU / Linux user name
106 as the SELinux user.
107
108 If set to 1:
109 getseuserbyname(3) will fail.
110
111 The getseuserbyname(3) man page should be consulted for its use.
112 The format of the seusers file is shown in seusers(5).
113
114
115 AUTORELABEL
116 This is an optional entry that allows the file system to be re‐
117 labeled.
118
119 If set to 0 and there is a file called .autorelabel in the root
120 directory, then on a reboot, the loader will drop to a shell
121 where a root login is required. An administrator can then manu‐
122 ally relabel the file system.
123
124 If set to 1 or no entry present (the default) and there is a
125 .autorelabel file in the root directory, then the file system
126 will be automatically relabeled using fixfiles -F restore
127
128 In both cases the /.autorelabel file will be removed so that re‐
129 labeling is not done again.
130
131
132
134 This example config file shows the minimum contents for a system to run
135 SELinux in enforcing mode, with a policy_name of 'targeted':
136
137 SELINUX = enforcing
138 SELINUXTYPE = targeted
139
140
142 selinux(8), sestatus(8), selinux_path(3), selinux_policy_root_path(3),
143 selinux_binary_policy_path(3), getseuserbyname(3), PAM(8), fixfiles(8),
144 selinux_mkload_policy(3), selinux_getpolicytype(3), security_poli‐
145 cyvers(3), selinux_getenforcemode(3), seusers(5)
146
147
148
149Security Enhanced Linux 18 Nov 2011 selinux_config(5)