selinux(8) SELinux Command Line documentation selinux(8)
NAME
SELinux - NSA Security-Enhanced Linux (SELinux)
DESCRIPTION
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture
in the Linux operating system. The SELinux architecture provides general support for the enforcement of many
kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-
Based Access Control, and Multi-Level Security. Background information and technical documentation about
SELinux can be found at http://www.nsa.gov/research/selinux.
The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if enabled,
whether SELinux operates in permissive mode or enforcing mode. The SELINUX variable may be set to any one of
disabled, permissive, or enforcing to select one of these options. The disabled option completely disables
the SELinux kernel and application code, leaving the system running without any SELinux protection. The per‐
missive option enables the SELinux code, but causes it to operate in a mode where accesses that would be
denied by policy are permitted but audited. The enforcing option enables the SELinux code and causes it to
enforce access denials as well as auditing them. Permissive mode may yield a different set of denials than
enforcing mode, both because enforcing mode will prevent an operation from proceeding past the first denial
and because some application code will fall back to a less privileged mode of operation if denied access.
The /etc/selinux/config configuration file also controls what policy is active on the system. SELinux allows
for multiple policies to be installed on the system, but only one policy may be active at any given time. At
present, multiple kinds of SELinux policy exist: targeted, mls for example. The targeted policy is designed
as a policy where most user processes operate without restrictions, and only specific services are placed into
distinct security domains that are confined by the policy. For example, the user would run in a completely
unconfined domain while the named daemon or apache daemon would run in a specific domain tailored to its oper‐
ation. The MLS (Multi-Level Security) policy is designed as a policy where all processes are partitioned into
fine-grained security domains and confined by policy. MLS also supports the Bell And LaPadula model, where
processes are not only confined by the type but also the level of the data.
You can define which policy you will run by setting the SELINUXTYPE environment variable within
/etc/selinux/config. You must reboot and possibly relabel if you change the policy type to have it take
effect on the system. The corresponding policy configuration for each such policy must be installed in the
/etc/selinux/{SELINUXTYPE}/ directories.
A given SELinux policy can be customized further based on a set of compile-time tunable options and a set of
runtime policy booleans. system-config-selinux allows customization of these booleans and tunables.
Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their
policy.
FILE LABELING
All files, directories, devices ... have a security context/label associated with them. These context are
stored in the extended attributes of the file system. Problems with SELinux often arise from the file system
being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error
message containing file_t, that is usually a good indicator that you have a serious problem with file system
labeling.
The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-con‐
fig-selinux, also has this capability. The restorecon/fixfiles commands are also available for relabeling
files.
AUTHOR
This manual page was written by Dan Walsh <[email protected]>.
FILES
man -k selinux
Will list all SELinux man pages.
[email protected] 29 Apr 2005 selinux(8)
Back to main site | Back to man page index