selinux(8)

1selinux(8)            SELinux Command Line documentation            selinux(8)
2
3
4

NAME

6       SELinux - NSA Security-Enhanced Linux (SELinux)
7

DESCRIPTION

9       NSA  Security-Enhanced Linux (SELinux) is an implementation of a flexi‐
10       ble mandatory access control architecture in the Linux  operating  sys‐
11       tem.   The  SELinux  architecture  provides general support for the en‐
12       forcement of many kinds of mandatory access control policies, including
13       those  based  on  the concepts of Type Enforcement®, Role- Based Access
14       Control, and Multi-Level Security.  Background information and  techni‐
15       cal     documentation     about     SELinux    can    be    found    at
16       https://github.com/SELinuxProject.
17
18       The /etc/selinux/config configuration file controls whether SELinux  is
19       enabled  or  disabled, and if enabled, whether SELinux operates in per‐
20       missive mode or enforcing mode.  The SELINUX variable may be set to any
21       one  of  disabled,  permissive, or enforcing to select one of these op‐
22       tions.  The disabled disables most of the SELinux kernel  and  applica‐
23       tion  code,  leaving the system running without any SELinux protection.
24       The permissive option enables the SELinux code, but causes it to  oper‐
25       ate in a mode where accesses that would be denied by policy are permit‐
26       ted but audited.  The enforcing option enables  the  SELinux  code  and
27       causes  it to enforce access denials as well as auditing them.  permis‐
28       sive mode may yield a different set of  denials  than  enforcing  mode,
29       both  because  enforcing mode will prevent an operation from proceeding
30       past the first denial and because some application code will fall  back
31       to a less privileged mode of operation if denied access.
32
33       NOTE:    Disabling    SELinux    by    setting    SELINUX=disabled   in
34       /etc/selinux/config is deprecated and depending on kernel  version  and
35       configuration  it  might not lead to SELinux being completely disabled.
36       Specifically, the SELinux hooks will still be executed internally,  but
37       the  SELinux policy will not be loaded and no operation will be denied.
38       In such state, the system will act as if SELinux was disabled, although
39       some operations might behave slightly differently.  To properly disable
40       SELinux, it is recommended to use the selinux=0 kernel boot option  in‐
41       stead.  In that case SELinux will be disabled regardless of what is set
42       in the /etc/selinux/config file.
43
44       The /etc/selinux/config configuration file also controls what policy is
45       active  on  the system.  SELinux allows for multiple policies to be in‐
46       stalled on the system, but only one policy may be active at  any  given
47       time.   At  present,  multiple kinds of SELinux policy exist: targeted,
48       mls for example.  The targeted policy is designed  as  a  policy  where
49       most  user  processes  operate  without restrictions, and only specific
50       services are placed into distinct security domains that are confined by
51       the policy.  For example, the user would run in a completely unconfined
52       domain while the named daemon or apache daemon would run in a  specific
53       domain  tailored to its operation.  The MLS (Multi-Level Security) pol‐
54       icy is designed as a policy where all processes  are  partitioned  into
55       fine-grained  security  domains  and confined by policy.  MLS also sup‐
56       ports the Bell And LaPadula model, where processes are  not  only  con‐
57       fined by the type but also the level of the data.
58
59       You can define which policy you will run by setting the SELINUXTYPE en‐
60       vironment variable within /etc/selinux/config.   You  must  reboot  and
61       possibly  relabel  if you change the policy type to have it take effect
62       on the system.  The corresponding policy configuration  for  each  such
63       policy  must  be  installed in the /etc/selinux/{SELINUXTYPE}/ directo‐
64       ries.
65
66       A given SELinux policy can be customized further based on a set of com‐
67       pile-time  tunable  options  and  a  set  of  runtime  policy booleans.
68       system-config-selinux allows customization of these booleans  and  tun‐
69       ables.
70
71       Many  domains  that  are  protected by SELinux also include SELinux man
72       pages explaining how to customize their policy.
73

FILE LABELING

75       All files, directories, devices ... have a security context/label asso‐
76       ciated  with them.  These context are stored in the extended attributes
77       of the file system.  Problems with SELinux often arise  from  the  file
78       system being mislabeled. This can be caused by booting the machine with
79       a non SELinux kernel.  If you see an error message  containing  file_t,
80       that  is  usually a good indicator that you have a serious problem with
81       file system labeling.
82
83       The best way to relabel the file system is  to  create  the  flag  file
84       /.autorelabel  and  reboot.  system-config-selinux, also has this capa‐
85       bility.  The restorecon/fixfiles commands are also available for  rela‐
86       beling files.
87
88       Please  note  that using mount flag nosuid also disables SELinux domain
89       transitions, unless permission nosuid_transition is used in the  policy
90       to  allow  this,  which  in  turn  needs also policy capability nnp_no‐
91       suid_transition.
92

AUTHOR

94       This manual page was written by Dan Walsh <dwalsh@redhat.com>.
95

FILES

97       /etc/selinux/config
98

NAME

DESCRIPTION

FILE LABELING

AUTHOR

FILES

SEE ALSO