selinux/libselinux/man/man8/selinux.8 - nest-cam/4320010/selinux - Git at Google

 .TH  "selinux"  "8"  "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation"
 .SH "NAME"
 SELinux \- NSA Security-Enhanced Linux (SELinux)
 .
 .SH "DESCRIPTION"
 NSA Security-Enhanced Linux (SELinux) is an implementation of a
 flexible mandatory access control architecture in the Linux operating
 system.  The SELinux architecture provides general support for the
 enforcement of many kinds of mandatory access control policies,
 including those based on the concepts of Type Enforcement®, Role-
 Based Access Control, and Multi-Level Security.  Background
 information and technical documentation about SELinux can be found at
 http://www.nsa.gov/research/selinux.

 The
 .I /etc/selinux/config
 configuration file controls whether SELinux is
 enabled or disabled, and if enabled, whether SELinux operates in
 permissive mode or enforcing mode.  The
 .B SELINUX
 variable may be set to
 any one of disabled, permissive, or enforcing to select one of these
 options.  The disabled option completely disables the SELinux kernel
 and application code, leaving the system running without any SELinux
 protection.  The permissive option enables the SELinux code, but
 causes it to operate in a mode where accesses that would be denied by
 policy are permitted but audited.  The enforcing option enables the
 SELinux code and causes it to enforce access denials as well as
 auditing them.  Permissive mode may yield a different set of denials
 than enforcing mode, both because enforcing mode will prevent an
 operation from proceeding past the first denial and because some
 application code will fall back to a less privileged mode of operation
 if denied access.

 The
 .I /etc/selinux/config
 configuration file also controls what policy
 is active on the system.  SELinux allows for multiple policies to be
 installed on the system, but only one policy may be active at any
 given time.  At present, multiple kinds of SELinux policy exist: targeted,
 mls for example.  The targeted policy is designed as a policy where most
 user processes operate without restrictions, and only specific services are
 placed into distinct security domains that are confined by the policy.
 For example, the user would run in a completely unconfined domain
 while the named daemon or apache daemon would run in a specific domain
 tailored to its operation.  The MLS (Multi-Level Security) policy is designed
 as a policy where all processes are partitioned into fine-grained security
 domains and confined by policy.  MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data.

 You can
 define which policy you will run by setting the
 .B SELINUXTYPE
 environment variable within
 .IR /etc/selinux/config .
 You must reboot and possibly relabel if you change the policy type to have it take effect on the system.
 The corresponding
 policy configuration for each such policy must be installed in the
 .I /etc/selinux/{SELINUXTYPE}/
 directories.

 A given SELinux policy can be customized further based on a set of
 compile-time tunable options and a set of runtime policy booleans.
 .B \%system\-config\-selinux
 allows customization of these booleans and tunables.

 Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.
 .
 .SH "FILE LABELING"
 All files, directories, devices ... have a security context/label associated with them.  These context are stored in the extended attributes of the file system.
 Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel.  If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.

 The best way to relabel the file system is to create the flag file
 .I /.autorelabel
 and reboot.
 .BR system\-config\-selinux ,
 also has this capability.  The
 .BR restorecon / fixfiles
 commands are also available for relabeling files.
 .
 .SH AUTHOR
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 .
 .SH FILES
 .I /etc/selinux/config
 .
 .SH "SEE ALSO"
 .ad l
 .nh
 .BR booleans (8),
 .BR setsebool (8),
 .BR sepolicy (8),
 .BR system-config-selinux (8),
 .BR togglesebool (8),
 .BR restorecon (8),
 .BR fixfiles (8),
 .BR setfiles (8),
 .BR semanage (8),
 .BR sepolicy(8)

 Every confined service on the system has a man page in the following format:
 .br

 .B <servicename>_selinux(8)

 For example, httpd has the
 .B httpd_selinux(8)
 man page.

 .B man -k selinux

 Will list all SELinux man pages.
	.TH "selinux" "8" "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation"
	.SH "NAME"
	SELinux \- NSA Security-Enhanced Linux (SELinux)
	.
	.SH "DESCRIPTION"
	NSA Security-Enhanced Linux (SELinux) is an implementation of a
	flexible mandatory access control architecture in the Linux operating
	system. The SELinux architecture provides general support for the
	enforcement of many kinds of mandatory access control policies,
	including those based on the concepts of Type Enforcement®, Role-
	Based Access Control, and Multi-Level Security. Background
	information and technical documentation about SELinux can be found at
	http://www.nsa.gov/research/selinux.

	The
	.I /etc/selinux/config
	configuration file controls whether SELinux is
	enabled or disabled, and if enabled, whether SELinux operates in
	permissive mode or enforcing mode. The
	.B SELINUX
	variable may be set to
	any one of disabled, permissive, or enforcing to select one of these
	options. The disabled option completely disables the SELinux kernel
	and application code, leaving the system running without any SELinux
	protection. The permissive option enables the SELinux code, but
	causes it to operate in a mode where accesses that would be denied by
	policy are permitted but audited. The enforcing option enables the
	SELinux code and causes it to enforce access denials as well as
	auditing them. Permissive mode may yield a different set of denials
	than enforcing mode, both because enforcing mode will prevent an
	operation from proceeding past the first denial and because some
	application code will fall back to a less privileged mode of operation
	if denied access.

	The
	.I /etc/selinux/config
	configuration file also controls what policy
	is active on the system. SELinux allows for multiple policies to be
	installed on the system, but only one policy may be active at any
	given time. At present, multiple kinds of SELinux policy exist: targeted,
	mls for example. The targeted policy is designed as a policy where most
	user processes operate without restrictions, and only specific services are
	placed into distinct security domains that are confined by the policy.
	For example, the user would run in a completely unconfined domain
	while the named daemon or apache daemon would run in a specific domain
	tailored to its operation. The MLS (Multi-Level Security) policy is designed
	as a policy where all processes are partitioned into fine-grained security
	domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data.

	You can
	define which policy you will run by setting the
	.B SELINUXTYPE
	environment variable within
	.IR /etc/selinux/config .
	You must reboot and possibly relabel if you change the policy type to have it take effect on the system.
	The corresponding
	policy configuration for each such policy must be installed in the
	.I /etc/selinux/{SELINUXTYPE}/
	directories.

	A given SELinux policy can be customized further based on a set of
	compile-time tunable options and a set of runtime policy booleans.
	.B \%system\-config\-selinux
	allows customization of these booleans and tunables.

	Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.
	.
	.SH "FILE LABELING"
	All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system.
	Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.

	The best way to relabel the file system is to create the flag file
	.I /.autorelabel
	and reboot.
	.BR system\-config\-selinux ,
	also has this capability. The
	.BR restorecon / fixfiles
	commands are also available for relabeling files.
	.
	.SH AUTHOR
	This manual page was written by Dan Walsh <dwalsh@redhat.com>.
	.
	.SH FILES
	.I /etc/selinux/config
	.
	.SH "SEE ALSO"
	.ad l
	.nh
	.BR booleans (8),
	.BR setsebool (8),
	.BR sepolicy (8),
	.BR system-config-selinux (8),
	.BR togglesebool (8),
	.BR restorecon (8),
	.BR fixfiles (8),
	.BR setfiles (8),
	.BR semanage (8),
	.BR sepolicy(8)

	Every confined service on the system has a man page in the following format:
	.br

	.B <servicename>_selinux(8)

	For example, httpd has the
	.B httpd_selinux(8)
	man page.

	.B man -k selinux

	Will list all SELinux man pages.