84 lines
4.1 KiB
Groff
84 lines
4.1 KiB
Groff
.TH "selinux" "8" "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation"
|
|
|
|
.SH "NAME"
|
|
selinux \- NSA Security-Enhanced Linux (SELinux)
|
|
|
|
.SH "DESCRIPTION"
|
|
|
|
NSA Security-Enhanced Linux (SELinux) is an implementation of a
|
|
flexible mandatory access control architecture in the Linux operating
|
|
system. The SELinux architecture provides general support for the
|
|
enforcement of many kinds of mandatory access control policies,
|
|
including those based on the concepts of Type Enforcement®, Role-
|
|
Based Access Control, and Multi-Level Security. Background
|
|
information and technical documentation about SELinux can be found at
|
|
http://www.nsa.gov/selinux.
|
|
|
|
The
|
|
.I /etc/selinux/config
|
|
configuration file controls whether SELinux is
|
|
enabled or disabled, and if enabled, whether SELinux operates in
|
|
permissive mode or enforcing mode. The
|
|
.B SELINUX
|
|
variable may be set to
|
|
any one of disabled, permissive, or enforcing to select one of these
|
|
options. The disabled option completely disables the SELinux kernel
|
|
and application code, leaving the system running without any SELinux
|
|
protection. The permissive option enables the SELinux code, but
|
|
causes it to operate in a mode where accesses that would be denied by
|
|
policy are permitted but audited. The enforcing option enables the
|
|
SELinux code and causes it to enforce access denials as well as
|
|
auditing them. Permissive mode may yield a different set of denials
|
|
than enforcing mode, both because enforcing mode will prevent an
|
|
operation from proceeding past the first denial and because some
|
|
application code will fall back to a less privileged mode of operation
|
|
if denied access.
|
|
|
|
The
|
|
.I /etc/selinux/config
|
|
configuration file also controls what policy
|
|
is active on the system. SELinux allows for multiple policies to be
|
|
installed on the system, but only one policy may be active at any
|
|
given time. At present, two kinds of SELinux policy exist: targeted
|
|
and strict. The targeted policy is designed as a policy where most
|
|
processes operate without restrictions, and only specific services are
|
|
placed into distinct security domains that are confined by the policy.
|
|
For example, the user would run in a completely unconfined domain
|
|
while the named daemon or apache daemon would run in a specific domain
|
|
tailored to its operation. The strict policy is designed as a policy
|
|
where all processes are partitioned into fine-grained security domains
|
|
and confined by policy. It is anticipated in the future that other
|
|
policies will be created (Multi-Level Security for example). You can
|
|
define which policy you will run by setting the
|
|
.B SELINUXTYPE
|
|
environment variable within
|
|
.I /etc/selinux/config.
|
|
The corresponding
|
|
policy configuration for each such policy must be installed in the
|
|
/etc/selinux/SELINUXTYPE/ directories.
|
|
|
|
A given SELinux policy can be customized further based on a set of
|
|
compile-time tunable options and a set of runtime policy booleans.
|
|
.B system-config-securitylevel
|
|
allows customization of these booleans and tunables.
|
|
|
|
.br
|
|
Many domains that are protected by SELinux also include selinux man pages explainging how to customize their policy.
|
|
|
|
.SH FILE LABELING
|
|
|
|
All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system.
|
|
Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non selinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.
|
|
.br
|
|
The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files.
|
|
|
|
.SH AUTHOR
|
|
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
|
|
.SH "SEE ALSO"
|
|
booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
|
|
|
|
|
|
.SH FILES
|
|
/etc/selinux/config
|