1selinux(8) SELinux Command Line documentation selinux(8)
2
3
4
6 selinux - NSA Security-Enhanced Linux (SELinux)
7
8
10 NSA Security-Enhanced Linux (SELinux) is an implementation of a flexi‐
11 ble mandatory access control architecture in the Linux operating sys‐
12 tem. The SELinux architecture provides general support for the
13 enforcement of many kinds of mandatory access control policies, includ‐
14 ing those based on the concepts of Type Enforcement®, Role- Based
15 Access Control, and Multi-Level Security. Background information and
16 technical documentation about SELinux can be found at
17 http://www.nsa.gov/selinux.
18
19 The /etc/selinux/config configuration file controls whether SELinux is
20 enabled or disabled, and if enabled, whether SELinux operates in per‐
21 missive mode or enforcing mode. The SELINUX variable may be set to any
22 one of disabled, permissive, or enforcing to select one of these
23 options. The disabled option completely disables the SELinux kernel
24 and application code, leaving the system running without any SELinux
25 protection. The permissive option enables the SELinux code, but causes
26 it to operate in a mode where accesses that would be denied by policy
27 are permitted but audited. The enforcing option enables the SELinux
28 code and causes it to enforce access denials as well as auditing them.
29 Permissive mode may yield a different set of denials than enforcing
30 mode, both because enforcing mode will prevent an operation from pro‐
31 ceeding past the first denial and because some application code will
32 fall back to a less privileged mode of operation if denied access.
33
34 The /etc/selinux/config configuration file also controls what policy is
35 active on the system. SELinux allows for multiple policies to be
36 installed on the system, but only one policy may be active at any given
37 time. At present, two kinds of SELinux policy exist: targeted and
38 strict. The targeted policy is designed as a policy where most pro‐
39 cesses operate without restrictions, and only specific services are
40 placed into distinct security domains that are confined by the policy.
41 For example, the user would run in a completely unconfined domain while
42 the named daemon or apache daemon would run in a specific domain tai‐
43 lored to its operation. The strict policy is designed as a policy
44 where all processes are partitioned into fine-grained security domains
45 and confined by policy. It is anticipated in the future that other
46 policies will be created (Multi-Level Security for example). You can
47 define which policy you will run by setting the SELINUXTYPE environment
48 variable within /etc/selinux/config. The corresponding policy configu‐
49 ration for each such policy must be installed in the
50 /etc/selinux/SELINUXTYPE/ directories.
51
52 A given SELinux policy can be customized further based on a set of com‐
53 pile-time tunable options and a set of runtime policy booleans. sys‐
54 tem-config-securitylevel allows customization of these booleans and
55 tunables.
56
57 Many domains that are protected by SELinux also include selinux man
58 pages explainging how to customize their policy.
59
60
62 All files, directories, devices ... have a security context/label asso‐
63 ciated with them. These context are stored in the extended attributes
64 of the file system. Problems with SELinux often arise from the file
65 system being mislabeled. This can be caused by booting the machine with
66 a non selinux kernel. If you see an error message containing file_t,
67 that is usually a good indicator that you have a serious problem with
68 file system labeling.
69
70 The best way to relabel the file system is to create the flag file
71 /.autorelabel and reboot. system-config-securitylevel, also has this
72 capability. The restorcon/fixfiles commands are also available for
73 relabeling files.
74
75
77 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
78
79
81 booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restore‐
82 con(8), setfiles(8), ftpd_selinux(8), named_selinux(8),
83 rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8),
84 kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
85
86
87
89 /etc/selinux/config
90
91
92
93dwalsh@redhat.com 29 Apr 2005 selinux(8)