| .TH "selinux" "8" "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation" |
| .SH "NAME" |
| SELinux \- NSA Security-Enhanced Linux (SELinux) |
| . |
| .SH "DESCRIPTION" |
| NSA Security-Enhanced Linux (SELinux) is an implementation of a |
| flexible mandatory access control architecture in the Linux operating |
| system. The SELinux architecture provides general support for the |
| enforcement of many kinds of mandatory access control policies, |
| including those based on the concepts of Type Enforcement®, Role- |
| Based Access Control, and Multi-Level Security. Background |
| information and technical documentation about SELinux can be found at |
| http://www.nsa.gov/research/selinux. |
| |
| The |
| .I /etc/selinux/config |
| configuration file controls whether SELinux is |
| enabled or disabled, and if enabled, whether SELinux operates in |
| permissive mode or enforcing mode. The |
| .B SELINUX |
| variable may be set to |
| any one of disabled, permissive, or enforcing to select one of these |
| options. The disabled option completely disables the SELinux kernel |
| and application code, leaving the system running without any SELinux |
| protection. The permissive option enables the SELinux code, but |
| causes it to operate in a mode where accesses that would be denied by |
| policy are permitted but audited. The enforcing option enables the |
| SELinux code and causes it to enforce access denials as well as |
| auditing them. Permissive mode may yield a different set of denials |
| than enforcing mode, both because enforcing mode will prevent an |
| operation from proceeding past the first denial and because some |
| application code will fall back to a less privileged mode of operation |
| if denied access. |
| |
| The |
| .I /etc/selinux/config |
| configuration file also controls what policy |
| is active on the system. SELinux allows for multiple policies to be |
| installed on the system, but only one policy may be active at any |
| given time. At present, multiple kinds of SELinux policy exist: targeted, |
| mls for example. The targeted policy is designed as a policy where most |
| user processes operate without restrictions, and only specific services are |
| placed into distinct security domains that are confined by the policy. |
| For example, the user would run in a completely unconfined domain |
| while the named daemon or apache daemon would run in a specific domain |
| tailored to its operation. The MLS (Multi-Level Security) policy is designed |
| as a policy where all processes are partitioned into fine-grained security |
| domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data. |
| |
| You can |
| define which policy you will run by setting the |
| .B SELINUXTYPE |
| environment variable within |
| .IR /etc/selinux/config . |
| You must reboot and possibly relabel if you change the policy type to have it take effect on the system. |
| The corresponding |
| policy configuration for each such policy must be installed in the |
| .I /etc/selinux/{SELINUXTYPE}/ |
| directories. |
| |
| A given SELinux policy can be customized further based on a set of |
| compile-time tunable options and a set of runtime policy booleans. |
| .B \%system\-config\-selinux |
| allows customization of these booleans and tunables. |
| |
| Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy. |
| . |
| .SH "FILE LABELING" |
| All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system. |
| Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling. |
| |
| The best way to relabel the file system is to create the flag file |
| .I /.autorelabel |
| and reboot. |
| .BR system\-config\-selinux , |
| also has this capability. The |
| .BR restorecon / fixfiles |
| commands are also available for relabeling files. |
| . |
| .SH AUTHOR |
| This manual page was written by Dan Walsh <dwalsh@redhat.com>. |
| . |
| .SH FILES |
| .I /etc/selinux/config |
| . |
| .SH "SEE ALSO" |
| .ad l |
| .nh |
| .BR booleans (8), |
| .BR setsebool (8), |
| .BR sepolicy (8), |
| .BR system-config-selinux (8), |
| .BR togglesebool (8), |
| .BR restorecon (8), |
| .BR fixfiles (8), |
| .BR setfiles (8), |
| .BR semanage (8), |
| .BR sepolicy(8) |
| |
| Every confined service on the system has a man page in the following format: |
| .br |
| |
| .B <servicename>_selinux(8) |
| |
| For example, httpd has the |
| .B httpd_selinux(8) |
| man page. |
| |
| .B man -k selinux |
| |
| Will list all SELinux man pages. |