|
NAME | DESCRIPTION | FILE LABELING | AUTHOR | FILES | SEE ALSO | COLOPHON |
|
selinux(8) SELinux Command Line documentation selinux(8)
SELinux - NSA Security-Enhanced Linux (SELinux)
NSA Security-Enhanced Linux (SELinux) is an implementation of a
flexible mandatory access control architecture in the Linux operating
system. The SELinux architecture provides general support for the
enforcement of many kinds of mandatory access control policies,
including those based on the concepts of Type Enforcement®, Role-
Based Access Control, and Multi-Level Security. Background
information and technical documentation about SELinux can be found at
http://www.nsa.gov/research/selinux.
The /etc/selinux/config configuration file controls whether SELinux
is enabled or disabled, and if enabled, whether SELinux operates in
permissive mode or enforcing mode. The SELINUX variable may be set
to any one of disabled, permissive, or enforcing to select one of
these options. The disabled option completely disables the SELinux
kernel and application code, leaving the system running without any
SELinux protection. The permissive option enables the SELinux code,
but causes it to operate in a mode where accesses that would be
denied by policy are permitted but audited. The enforcing option
enables the SELinux code and causes it to enforce access denials as
well as auditing them. Permissive mode may yield a different set of
denials than enforcing mode, both because enforcing mode will prevent
an operation from proceeding past the first denial and because some
application code will fall back to a less privileged mode of
operation if denied access.
The /etc/selinux/config configuration file also controls what policy
is active on the system. SELinux allows for multiple policies to be
installed on the system, but only one policy may be active at any
given time. At present, multiple kinds of SELinux policy exist:
targeted, mls for example. The targeted policy is designed as a
policy where most user processes operate without restrictions, and
only specific services are placed into distinct security domains that
are confined by the policy. For example, the user would run in a
completely unconfined domain while the named daemon or apache daemon
would run in a specific domain tailored to its operation. The MLS
(Multi-Level Security) policy is designed as a policy where all
processes are partitioned into fine-grained security domains and
confined by policy. MLS also supports the Bell And LaPadula model,
where processes are not only confined by the type but also the level
of the data.
You can define which policy you will run by setting the SELINUXTYPE
environment variable within /etc/selinux/config. You must reboot and
possibly relabel if you change the policy type to have it take effect
on the system. The corresponding policy configuration for each such
policy must be installed in the /etc/selinux/{SELINUXTYPE}/
directories.
A given SELinux policy can be customized further based on a set of
compile-time tunable options and a set of runtime policy booleans.
system-config-selinux allows customization of these booleans and
tunables.
Many domains that are protected by SELinux also include SELinux man
pages explaining how to customize their policy.
All files, directories, devices ... have a security context/label
associated with them. These context are stored in the extended
attributes of the file system. Problems with SELinux often arise
from the file system being mislabeled. This can be caused by booting
the machine with a non SELinux kernel. If you see an error message
containing file_t, that is usually a good indicator that you have a
serious problem with file system labeling.
The best way to relabel the file system is to create the flag file
/.autorelabel and reboot. system-config-selinux, also has this
capability. The restorecon/fixfiles commands are also available for
relabeling files.
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
/etc/selinux/config
booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8),
togglesebool(8), restorecon(8), fixfiles(8), setfiles(8),
semanage(8), sepolicy(8)
Every confined service on the system has a man page in the following
format:
<servicename>_selinux(8)
For example, httpd has the httpd_selinux(8) man page.
man -k selinux
Will list all SELinux man pages.
This page is part of the selinux (Security-Enhanced Linux user-space
libraries and tools) project. Information about the project can be
found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you
have a bug report for this manual page, see
⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This
page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2018-02-02. (At that
time, the date of the most recent commit that was found in the repos‐
itory was 2018-01-25.) If you discover any rendering problems in
this HTML version of the page, or you believe there is a better or
more up-to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not part
of the original manual page), send a mail to man-pages@man7.org
dwalsh@redhat.com 29 Apr 2005 selinux(8)
Pages that refer to this page: crontab(1), avc_add_callback(3), avc_cache_stats(3), avc_compute_create(3), avc_context_to_sid(3), avc_has_perm(3), avc_init(3), avc_netlink_loop(3), avc_open(3), context_new(3), getcon(3), getexeccon(3), getfilecon(3), getfscreatecon(3), getkeycreatecon(3), get_ordered_context_list(3), getseuserbyname(3), getsockcreatecon(3), init_selinuxmnt(3), is_context_customizable(3), is_selinux_enabled(3), matchmediacon(3), matchpathcon(3), matchpathcon_checkmatches(3), security_check_context(3), security_class_to_string(3), security_compute_av(3), security_disable(3), security_getenforce(3), security_load_booleans(3), security_load_policy(3), security_policyvers(3), selabel_digest(3), selabel_lookup(3), selabel_lookup_best_match(3), selabel_open(3), selabel_partial_match(3), selabel_stats(3), selinux_binary_policy_path(3), selinux_check_securetty_context(3), selinux_colors_path(3), selinux_file_context_cmp(3), selinux_file_context_verify(3), selinux_getenforcemode(3), selinux_getpolicytype(3), selinux_lsetfilecon_default(3), selinux_policy_root(3), selinux_raw_context_to_color(3), selinux_set_callback(3), selinux_set_mapping(3), set_matchpathcon_flags(3), booleans(5), crontab(5), customizable_types(5), default_contexts(5), default_type(5), failsafe_context(5), local.users(5), removable_context(5), secolor.conf(5), securetty_types(5), selabel_db(5), selabel_file(5), selabel_media(5), selabel_x(5), selinux_config(5), sepermit.conf(5), service_seusers(5), sestatus.conf(5), seusers(5), user_contexts(5), virtual_domain_context(5), virtual_image_context(5), keyrings(7), avcstat(8), booleans(8), getenforce(8), getsebool(8), matchpathcon(8), mount(8), pam_selinux(8), pam_sepermit(8), sefcontext_compile(8), selinuxenabled(8), semanage(8), semanage-boolean(8), semanage-dontaudit(8), semanage-export(8), semanage-fcontext(8), semanage-ibendport(8), semanage-ibpkey(8), semanage-import(8), semanage-interface(8), semanage-login(8), semanage-module(8), semanage-permissive(8), semanage-port(8), semanage-user(8), sestatus(8), setenforce(8), togglesebool(8)
|
HTML rendering created 2018-02-02 by Michael Kerrisk, author of The Linux Programming Interface, maintainer of the Linux man-pages project. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH.
|
|