| .TH "selinux" "8" "29 Apr 2005" "[email protected]" "SELinux Command Line documentation" |
| .SH "NAME" |
| SELinux \- NSA Security-Enhanced Linux (SELinux) |
| . |
| .SH "DESCRIPTION" |
| NSA Security-Enhanced Linux (SELinux) is an implementation of a |
| flexible mandatory access control architecture in the Linux operating |
| system. The SELinux architecture provides general support for the |
| enforcement of many kinds of mandatory access control policies, |
| including those based on the concepts of Type Enforcement®, Role- |
| Based Access Control, and Multi-Level Security. Background |
| information and technical documentation about SELinux can be found at |
| https://github.com/SELinuxProject. |
| |
| The |
| .I /etc/selinux/config |
| configuration file controls whether SELinux is |
| enabled or disabled, and if enabled, whether SELinux operates in |
| permissive mode or enforcing mode. The |
| .B SELINUX |
| variable may be set to |
| any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to |
| select one of these options. The \fIdisabled\fR disables most of the |
| SELinux kernel and application code, leaving the system |
| running without any SELinux protection. The \fIpermissive\fR option |
| enables the SELinux code, but causes it to operate in a mode where |
| accesses that would be denied by policy are permitted but audited. The |
| \fIenforcing\fR option enables the SELinux code and causes it to enforce |
| access denials as well as auditing them. \fIpermissive\fR mode may |
| yield a different set of denials than enforcing mode, both because |
| enforcing mode will prevent an operation from proceeding past the first |
| denial and because some application code will fall back to a less |
| privileged mode of operation if denied access. |
| |
| .B NOTE: |
| Disabling SELinux by setting |
| .B SELINUX=disabled |
| in |
| .I /etc/selinux/config |
| is deprecated and depending on kernel version and configuration it might |
| not lead to SELinux being completely disabled. Specifically, the |
| SELinux hooks will still be executed internally, but the SELinux policy |
| will not be loaded and no operation will be denied. In such state, the |
| system will act as if SELinux was disabled, although some operations |
| might behave slightly differently. To properly disable SELinux, it is |
| recommended to use the |
| .B selinux=0 |
| kernel boot option instead. In that case SELinux will be disabled |
| regardless of what is set in the |
| .I /etc/selinux/config |
| file. |
| |
| The |
| .I /etc/selinux/config |
| configuration file also controls what policy |
| is active on the system. SELinux allows for multiple policies to be |
| installed on the system, but only one policy may be active at any |
| given time. At present, multiple kinds of SELinux policy exist: targeted, |
| mls for example. The targeted policy is designed as a policy where most |
| user processes operate without restrictions, and only specific services are |
| placed into distinct security domains that are confined by the policy. |
| For example, the user would run in a completely unconfined domain |
| while the named daemon or apache daemon would run in a specific domain |
| tailored to its operation. The MLS (Multi-Level Security) policy is designed |
| as a policy where all processes are partitioned into fine-grained security |
| domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data. |
| |
| You can |
| define which policy you will run by setting the |
| .B SELINUXTYPE |
| environment variable within |
| .IR /etc/selinux/config . |
| You must reboot and possibly relabel if you change the policy type to have it take effect on the system. |
| The corresponding |
| policy configuration for each such policy must be installed in the |
| .I /etc/selinux/{SELINUXTYPE}/ |
| directories. |
| |
| A given SELinux policy can be customized further based on a set of |
| compile-time tunable options and a set of runtime policy booleans. |
| .B \%system\-config\-selinux |
| allows customization of these booleans and tunables. |
| |
| Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy. |
| . |
| .SH "FILE LABELING" |
| All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system. |
| Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling. |
| |
| The best way to relabel the file system is to create the flag file |
| .I /.autorelabel |
| and reboot. |
| .BR system\-config\-selinux , |
| also has this capability. The |
| .BR restorecon / fixfiles |
| commands are also available for relabeling files. |
| |
| Please note that using mount flag |
| .I nosuid |
| also disables SELinux domain transitions, unless permission |
| .I nosuid_transition |
| is used in the policy to allow this, which in turn needs also policy capability |
| .IR nnp_nosuid_transition . |
| . |
| .SH AUTHOR |
| This manual page was written by Dan Walsh <dwalsh@redhat.com>. |
| . |
| .SH FILES |
| .I /etc/selinux/config |
| . |
| .SH "SEE ALSO" |
| .ad l |
| .nh |
| .BR booleans (8), |
| .BR setsebool (8), |
| .BR sepolicy (8), |
| .BR system-config-selinux (8), |
| .BR togglesebool (8), |
| .BR restorecon (8), |
| .BR fixfiles (8), |
| .BR setfiles (8), |
| .BR semanage (8), |
| .BR sepolicy (8) |
| |
| Every confined service on the system has a man page in the following format: |
| .br |
| |
| .BR <servicename>_selinux (8) |
| |
| For example, httpd has the |
| .BR httpd_selinux (8) |
| man page. |
| |
| .B man -k selinux |
| |
| Will list all SELinux man pages. |
