1selinux(8) SELinux Command Line documentation selinux(8)
2
3
4
6 SELinux - NSA Security-Enhanced Linux (SELinux)
7
9 NSA Security-Enhanced Linux (SELinux) is an implementation of a flexi‐
10 ble mandatory access control architecture in the Linux operating sys‐
11 tem. The SELinux architecture provides general support for the
12 enforcement of many kinds of mandatory access control policies, includ‐
13 ing those based on the concepts of Type Enforcement®, Role- Based
14 Access Control, and Multi-Level Security. Background information and
15 technical documentation about SELinux can be found at
16 http://www.nsa.gov/research/selinux.
17
18 The /etc/selinux/config configuration file controls whether SELinux is
19 enabled or disabled, and if enabled, whether SELinux operates in per‐
20 missive mode or enforcing mode. The SELINUX variable may be set to any
21 one of disabled, permissive, or enforcing to select one of these
22 options. The disabled option completely disables the SELinux kernel
23 and application code, leaving the system running without any SELinux
24 protection. The permissive option enables the SELinux code, but causes
25 it to operate in a mode where accesses that would be denied by policy
26 are permitted but audited. The enforcing option enables the SELinux
27 code and causes it to enforce access denials as well as auditing them.
28 Permissive mode may yield a different set of denials than enforcing
29 mode, both because enforcing mode will prevent an operation from pro‐
30 ceeding past the first denial and because some application code will
31 fall back to a less privileged mode of operation if denied access.
32
33 The /etc/selinux/config configuration file also controls what policy is
34 active on the system. SELinux allows for multiple policies to be
35 installed on the system, but only one policy may be active at any given
36 time. At present, multiple kinds of SELinux policy exist: targeted,
37 mls for example. The targeted policy is designed as a policy where
38 most user processes operate without restrictions, and only specific
39 services are placed into distinct security domains that are confined by
40 the policy. For example, the user would run in a completely unconfined
41 domain while the named daemon or apache daemon would run in a specific
42 domain tailored to its operation. The MLS (Multi-Level Security) pol‐
43 icy is designed as a policy where all processes are partitioned into
44 fine-grained security domains and confined by policy. MLS also sup‐
45 ports the Bell And LaPadula model, where processes are not only con‐
46 fined by the type but also the level of the data.
47
48 You can define which policy you will run by setting the SELINUXTYPE
49 environment variable within /etc/selinux/config. You must reboot and
50 possibly relabel if you change the policy type to have it take effect
51 on the system. The corresponding policy configuration for each such
52 policy must be installed in the /etc/selinux/{SELINUXTYPE}/ directo‐
53 ries.
54
55 A given SELinux policy can be customized further based on a set of com‐
56 pile-time tunable options and a set of runtime policy booleans.
57 system-config-selinux allows customization of these booleans and tun‐
58 ables.
59
60 Many domains that are protected by SELinux also include SELinux man
61 pages explaining how to customize their policy.
62
64 All files, directories, devices ... have a security context/label asso‐
65 ciated with them. These context are stored in the extended attributes
66 of the file system. Problems with SELinux often arise from the file
67 system being mislabeled. This can be caused by booting the machine with
68 a non SELinux kernel. If you see an error message containing file_t,
69 that is usually a good indicator that you have a serious problem with
70 file system labeling.
71
72 The best way to relabel the file system is to create the flag file
73 /.autorelabel and reboot. system-config-selinux, also has this capa‐
74 bility. The restorecon/fixfiles commands are also available for rela‐
75 beling files.
76
78 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
79
81 /etc/selinux/config
82
84 booleans(8), setsebool(8), togglesebool(8), restorecon(8), fixfiles(8),
85 setfiles(8), semanage(8)
86
87 Every confined service on the system has a man page in the following
88 format:
89
90 <servicename>_selinux(8)
91
92 For example, httpd has the httpd_selinux(8) man page.
93
94 man -k selinux
95
96 Will list all SELinux man pages.
97
98
99
100dwalsh@redhat.com 29 Apr 2005 selinux(8)