selinux_config(5)

1selinux_config(5)         SELinux configuration file         selinux_config(5)
2
3
4

NAME

6       config - The SELinux sub-system configuration file.
7
8

DESCRIPTION

10       The SELinux config file controls the state of SELinux regarding:
11
12              1.  The  policy  enforcement  status  - enforcing, permissive or
13                  disabled.
14
15              2.  The policy name or type that forms a path to the  policy  to
16                  be loaded and its supporting configuration files.
17
18              3.  How  SELinux-aware  login  applications  should behave if no
19                  valid SELinux users are configured.
20
21              4.  Whether the system is to be relabeled or not.
22
23       The entries controlling these functions are described in the FILE  FOR‐
24       MAT section.
25
26       The  fully  qualified  path  name  of the SELinux configuration file is
27       /etc/selinux/config.
28
29       If the config file is missing or corrupt, then  no  SELinux  policy  is
30       loaded (i.e. SELinux is disabled).
31
32       The  sestatus  [22m(8) command and the libselinux function selinux_path (3)
33       will return the location of the config file.
34
35

FILE FORMAT

37       The config file supports the following parameters:
38
39              SELINUX = enforcing | permissive | disabled
40              SELINUXTYPE = policy_name
41              REQUIREUSERS = 0 | 1
42              AUTORELABEL = 0 | 1
43
44       Where:
45       SELINUX
46              This entry can contain one of three values:
47
48                     enforcing
49                         SELinux security policy is enforced.
50
51                     permissive
52                         SELinux security policy is not enforced but logs  the
53                         warnings (i.e. the action is allowed to proceed).
54
55                     disabled
56                         No SELinux policy is loaded.  This option was used to
57                         disable SELinux completely, which is now  deprecated.
58                         Use  the  selinux=0  kernel  boot option instead (see
59                         selinux(8)).
60
61              The entry can be determined using  the  sestatus(8)  command  or
62              selinux_getenforcemode(3).
63
64       SELINUXTYPE
65              The  policy_name  entry is used to identify the policy type, and
66              becomes the directory name of where the policy and its  configu‐
67              ration files are located.
68
69              The  entry  can  be  determined using the sestatus(8) command or
70              selinux_getpolicytype(3).
71
72              The policy_name is relative to a path that is defined within the
73              SELinux    subsystem    that   can   be   retrieved   by   using
74              selinux_path(3). An example entry retrieved  by  selinux_path(3)
75              is:
76                     /etc/selinux/
77
78              The policy_name is then appended to this and becomes the 'policy
79              root'  location  that   can   be   retrieved   by   selinux_pol‐
80              icy_root_path(3). An example entry retrieved is:
81                     /etc/selinux/targeted
82
83              The  actual  binary policy is located relative to this directory
84              and also has a policy name pre-allocated. This  information  can
85              be retrieved using selinux_binary_policy_path(3). An example en‐
86              try retrieved by selinux_binary_policy_path(3) is:
87                     /etc/selinux/targeted/policy/policy
88
89              The binary policy name has by convention the SELinux policy ver‐
90              sion that it supports appended to it. The maximum policy version
91              supported by the kernel can be determined using the  sestatus(8)
92              command or security_policyvers(3). An example binary policy file
93              with the version is:
94                     /etc/selinux/targeted/policy/policy.24
95
96       REQUIRESEUSERS
97              This optional entry can be used to fail a login if there  is  no
98              matching  or  default  entry  in  the  seusers(5) file or if the
99              seusers file is missing.
100
101              It is checked by getseuserbyname(3) that is called  by  SELinux-
102              aware login applications such as PAM(8).
103
104              If set to 0 or the entry missing:
105                     getseuserbyname(3)  will return the GNU / Linux user name
106                     as the SELinux user.
107
108              If set to 1:
109                     getseuserbyname(3) will fail.
110
111              The getseuserbyname(3) man page should be consulted for its use.
112              The format of the seusers file is shown in seusers(5).
113
114
115       AUTORELABEL
116              This  is an optional entry that allows the file system to be re‐
117              labeled.
118
119              If set to 0 and there is a file called .autorelabel in the  root
120              directory,  then  on  a  reboot, the loader will drop to a shell
121              where a root login is required. An administrator can then  manu‐
122              ally relabel the file system.
123
124              If  set  to  1  or no entry present (the default) and there is a
125              .autorelabel file in the root directory, then  the  file  system
126              will be automatically relabeled using fixfiles -F restore
127
128              In both cases the /.autorelabel file will be removed so that re‐
129              labeling is not done again.
130
131
132

EXAMPLE

134       This example config file shows the minimum contents for a system to run
135       SELinux in enforcing mode, with a policy_name of 'targeted':
136
137              SELINUX = enforcing
138              SELINUXTYPE = targeted
139
140

NAME

DESCRIPTION

FILE FORMAT

EXAMPLE

SEE ALSO