NAME
selinux - NSA Security-Enhanced Linux (SELinux)
DESCRIPTION
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control archi-
tecture in the Linux operating system. The SELinux architecture provides general support for the
enforcement of many kinds of mandatory access control policies, including those based on the concepts of
Type Enforcement(R), Role- Based Access Control, and Multi-Level Security. Background information and
technical documentation about SELinux can be found at
http://www.nsa.gov/selinux.
The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if
enabled, whether SELinux operates in permissive mode or enforcing mode. The SELINUX variable may be set
to any one of disabled, permissive, or enforcing to select one of these options. The disabled option
completely disables the SELinux kernel and application code, leaving the system running without any
SELinux protection. The permissive option enables the SELinux code, but causes it to operate in a mode
where accesses that would be denied by policy are permitted but audited. The enforcing option enables
the SELinux code and causes it to enforce access denials as well as auditing them. Permissive mode may
yield a different set of denials than enforcing mode, both because enforcing mode will prevent an opera-
tion from proceeding past the first denial and because some application code will fall back to a less
privileged mode of operation if denied access.
The /etc/selinux/config configuration file also controls what policy is active on the system. SELinux
allows for multiple policies to be installed on the system, but only one policy may be active at any
given time. At present, two kinds of SELinux policy exist: targeted and strict. The targeted policy is
designed as a policy where most processes operate without restrictions, and only specific services are
placed into distinct security domains that are confined by the policy. For example, the user would run
in a completely unconfined domain while the named daemon or apache daemon would run in a specific domain
tailored to its operation. The strict policy is designed as a policy where all processes are parti-
tioned into fine-grained security domains and confined by policy. It is anticipated in the future that
other policies will be created (Multi-Level Security for example). You can define which policy you will
run by setting the SELINUXTYPE environment variable within /etc/selinux/config. The corresponding pol-
icy configuration for each such policy must be installed in the /etc/selinux/SELINUXTYPE/ directories.
A given SELinux policy can be customized further based on a set of compile-time tunable options and a
set of runtime policy booleans. system-config-securitylevel allows customization of these booleans and
tunables.
Many domains that are protected by SELinux also include selinux man pages explainging how to customize
their policy.
FILE LABELING
All files, directories, devices ... have a security context/label associated with them. These context
are stored in the extended attributes of the file system. Problems with SELinux often arise from the
file system being mislabeled. This can be caused by booting the machine with a non selinux kernel. If
you see an error message containing file_t, that is usually a good indicator that you have a serious
problem with file system labeling.
The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-
config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for
relabeling files.
AUTHOR
This manual page was written by Dan Walsh <
dwalsh@redhat.com>.
SEE ALSO
booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8),
ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8),
kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
FILES
/etc/selinux/config
dwalsh@redhat.com 29 Apr 2005 selinux(8)
http://bashconsole.org/man.8.selinux
Author