selinux_config(5)

1selinux_config(5)         SELinux configuration file         selinux_config(5)
2
3
4

NAME

6       config - The SELinux sub-system configuration file.
7
8

DESCRIPTION

10       The SELinux config file controls the state of SELinux regarding:
11
12              1.  The  policy  enforcement  status  - enforcing, permissive or
13                  disabled.
14
15              2.  The policy name or type that forms a path to the  policy  to
16                  be loaded and its supporting configuration files.
17
18              3.  How local users and booleans will be managed when the policy
19                  is loaded  (note  that  this  function  was  used  by  older
20                  releases of SELinux and is now deprecated).
21
22              4.  How  SELinux-aware  login  applications  should behave if no
23                  valid SELinux users are configured.
24
25              5.  Whether the system is to be relabeled or not.
26
27       The entries controlling these functions are described in the FILE  FOR‐
28       MAT section.
29
30       The  fully  qualified  path  name  of the SELinux configuration file is
31       /etc/selinux/config.
32
33       If the config file is missing or corrupt, then  no  SELinux  policy  is
34       loaded (i.e. SELinux is disabled).
35
36       The  sestatus  [22m(8) command and the libselinux function selinux_path (3)
37       will return the location of the config file.
38
39

FILE FORMAT

41       The config file supports the following parameters:
42
43              SELINUX = enforcing | permissive | disabled
44              SELINUXTYPE = policy_name
45              SETLOCALDEFS = 0 | 1
46              REQUIREUSERS = 0 | 1
47              AUTORELABEL = 0 | 1
48
49       Where:
50       SELINUX
51              This entry can contain one of three values:
52
53                     enforcing
54                         SELinux security policy is enforced.
55
56                     permissive
57                         SELinux security policy is not enforced but logs  the
58                         warnings (i.e. the action is allowed to proceed).
59
60                     disabled
61                         SELinux is disabled and no policy is loaded.
62
63              The  entry  can  be  determined using the sestatus(8) command or
64              selinux_getenforcemode(3).
65
66       SELINUXTYPE
67              The policy_name entry is used to identify the policy  type,  and
68              becomes  the directory name of where the policy and its configu‐
69              ration files are located.
70
71              The entry can be determined using  the  sestatus(8)  command  or
72              selinux_getpolicytype(3).
73
74              The policy_name is relative to a path that is defined within the
75              SELinux   subsystem   that   can   be   retrieved    by    using
76              selinux_path(3).  An  example entry retrieved by selinux_path(3)
77              is:
78                     /etc/selinux/
79
80              The policy_name is then appended to this and becomes the 'policy
81              root'   location   that   can   be   retrieved  by  selinux_pol‐
82              icy_root_path(3). An example entry retrieved is:
83                     /etc/selinux/targeted
84
85              The actual binary policy is located relative to  this  directory
86              and  also  has a policy name pre-allocated. This information can
87              be retrieved  using  selinux_binary_policy_path(3).  An  example
88              entry retrieved by selinux_binary_policy_path(3) is:
89                     /etc/selinux/targeted/policy/policy
90
91              The binary policy name has by convention the SELinux policy ver‐
92              sion that it supports appended to it. The maximum policy version
93              supported  by the kernel can be determined using the sestatus(8)
94              command or security_policyvers(3). An example binary policy file
95              with the version is:
96                     /etc/selinux/targeted/policy/policy.24
97
98       SETLOCALDEFS
99              This entry is deprecated and should be removed or set to 0.
100
101              If  set  to 1, then selinux_mkload_policy(3) will read the local
102              customization for booleans  (see  booleans(5))  and  users  (see
103              local.users(5)).
104
105       REQUIRESEUSERS
106              This  optional  entry can be used to fail a login if there is no
107              matching or default entry in  the  seusers(5)  file  or  if  the
108              seusers file is missing.
109
110              It  is  checked by getseuserbyname(3) that is called by SELinux-
111              aware login applications such as PAM(8).
112
113              If set to 0 or the entry missing:
114                     getseuserbyname(3) will return the GNU / Linux user  name
115                     as the SELinux user.
116
117              If set to 1:
118                     getseuserbyname(3) will fail.
119
120              The getseuserbyname(3) man page should be consulted for its use.
121              The format of the seusers file is shown in seusers(5).
122
123
124       AUTORELABEL
125              This is an optional entry that allows  the  file  system  to  be
126              relabeled.
127
128              If  set to 0 and there is a file called .autorelabel in the root
129              directory, then on a reboot, the loader will  drop  to  a  shell
130              where  a root login is required. An administrator can then manu‐
131              ally relabel the file system.
132
133              If set to 1 or no entry present (the default)  and  there  is  a
134              .autorelabel  file  in  the root directory, then the file system
135              will be automatically relabeled using fixfiles -F restore
136
137              In both cases the /.autorelabel file will  be  removed  so  that
138              relabeling is not done again.
139
140
141

EXAMPLE

143       This example config file shows the minimum contents for a system to run
144       SELinux in enforcing mode, with a policy_name of 'targeted':
145
146              SELINUX = enforcing
147              SELINUXTYPE = targeted
148
149

NAME

DESCRIPTION

FILE FORMAT

EXAMPLE

SEE ALSO