MAN page from OpenSuSE selinux-tools-2.0.71-4.1.x86_64.rpm
Section: SELinux Command Line documentation (8)
Updated: 29 Apr 2005Index
selinux - NSA Security-Enhanced Linux (SELinux)
NSA Security-Enhanced Linux (SELinux) is an implementation of aflexible mandatory access control architecture in the Linux operatingsystem. The SELinux architecture provides general support for theenforcement of many kinds of mandatory access control policies,including those based on the concepts of Type Enforcement®, Role-Based Access Control, and Multi-Level Security. Backgroundinformation and technical documentation about SELinux can be found athttp://www.nsa.gov/selinux.
The/etc/selinux/configconfiguration file controls whether SELinux isenabled or disabled, and if enabled, whether SELinux operates inpermissive mode or enforcing mode. TheSELINUXvariable may be set toany one of disabled, permissive, or enforcing to select one of theseoptions. The disabled option completely disables the SELinux kerneland application code, leaving the system running without any SELinuxprotection. The permissive option enables the SELinux code, butcauses it to operate in a mode where accesses that would be denied bypolicy are permitted but audited. The enforcing option enables theSELinux code and causes it to enforce access denials as well asauditing them. Permissive mode may yield a different set of denialsthan enforcing mode, both because enforcing mode will prevent anoperation from proceeding past the first denial and because someapplication code will fall back to a less privileged mode of operationif denied access.
The/etc/selinux/configconfiguration file also controls what policyis active on the system. SELinux allows for multiple policies to beinstalled on the system, but only one policy may be active at anygiven time. At present, two kinds of SELinux policy exist: targetedand strict. The targeted policy is designed as a policy where mostprocesses operate without restrictions, and only specific services areplaced into distinct security domains that are confined by the policy.For example, the user would run in a completely unconfined domainwhile the named daemon or apache daemon would run in a specific domaintailored to its operation. The strict policy is designed as a policywhere all processes are partitioned into fine-grained security domainsand confined by policy. It is anticipated in the future that otherpolicies will be created (Multi-Level Security for example). You candefine which policy you will run by setting theSELINUXTYPEenvironment variable within/etc/selinux/config.The correspondingpolicy configuration for each such policy must be installed in the/etc/selinux/SELINUXTYPE/ directories.
A given SELinux policy can be customized further based on a set ofcompile-time tunable options and a set of runtime policy booleans.system-config-securitylevelallows customization of these booleans and tunables.
Many domains that are protected by SELinux also include selinux man pages explainging how to customize their policy.
All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system.Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non selinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.
The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files.
This manual page was written by Dan Walsh <dwalshAATTredhat.com>.
- FILE LABELING
- SEE ALSO
This document was created byman2html,using the manual pages.