111 lines
4.5 KiB
Groff
111 lines
4.5 KiB
Groff
.TH "selinux" "8" "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation"
|
|
.SH "NAME"
|
|
SELinux \- NSA Security-Enhanced Linux (SELinux)
|
|
.
|
|
.SH "DESCRIPTION"
|
|
NSA Security-Enhanced Linux (SELinux) is an implementation of a
|
|
flexible mandatory access control architecture in the Linux operating
|
|
system. The SELinux architecture provides general support for the
|
|
enforcement of many kinds of mandatory access control policies,
|
|
including those based on the concepts of Type Enforcement®, Role-
|
|
Based Access Control, and Multi-Level Security. Background
|
|
information and technical documentation about SELinux can be found at
|
|
http://www.nsa.gov/research/selinux.
|
|
|
|
The
|
|
.I /etc/selinux/config
|
|
configuration file controls whether SELinux is
|
|
enabled or disabled, and if enabled, whether SELinux operates in
|
|
permissive mode or enforcing mode. The
|
|
.B SELINUX
|
|
variable may be set to
|
|
any one of disabled, permissive, or enforcing to select one of these
|
|
options. The disabled option completely disables the SELinux kernel
|
|
and application code, leaving the system running without any SELinux
|
|
protection. The permissive option enables the SELinux code, but
|
|
causes it to operate in a mode where accesses that would be denied by
|
|
policy are permitted but audited. The enforcing option enables the
|
|
SELinux code and causes it to enforce access denials as well as
|
|
auditing them. Permissive mode may yield a different set of denials
|
|
than enforcing mode, both because enforcing mode will prevent an
|
|
operation from proceeding past the first denial and because some
|
|
application code will fall back to a less privileged mode of operation
|
|
if denied access.
|
|
|
|
The
|
|
.I /etc/selinux/config
|
|
configuration file also controls what policy
|
|
is active on the system. SELinux allows for multiple policies to be
|
|
installed on the system, but only one policy may be active at any
|
|
given time. At present, multiple kinds of SELinux policy exist: targeted,
|
|
mls for example. The targeted policy is designed as a policy where most
|
|
user processes operate without restrictions, and only specific services are
|
|
placed into distinct security domains that are confined by the policy.
|
|
For example, the user would run in a completely unconfined domain
|
|
while the named daemon or apache daemon would run in a specific domain
|
|
tailored to its operation. The MLS (Multi-Level Security) policy is designed
|
|
as a policy where all processes are partitioned into fine-grained security
|
|
domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data.
|
|
|
|
You can
|
|
define which policy you will run by setting the
|
|
.B SELINUXTYPE
|
|
environment variable within
|
|
.IR /etc/selinux/config .
|
|
You must reboot and possibly relabel if you change the policy type to have it take effect on the system.
|
|
The corresponding
|
|
policy configuration for each such policy must be installed in the
|
|
.I /etc/selinux/{SELINUXTYPE}/
|
|
directories.
|
|
|
|
A given SELinux policy can be customized further based on a set of
|
|
compile-time tunable options and a set of runtime policy booleans.
|
|
.B \%system\-config\-selinux
|
|
allows customization of these booleans and tunables.
|
|
|
|
Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.
|
|
.
|
|
.SH "FILE LABELING"
|
|
All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system.
|
|
Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.
|
|
|
|
The best way to relabel the file system is to create the flag file
|
|
.I /.autorelabel
|
|
and reboot.
|
|
.BR system\-config\-selinux ,
|
|
also has this capability. The
|
|
.BR restorcon / fixfiles
|
|
commands are also available for relabeling files.
|
|
.
|
|
.SH AUTHOR
|
|
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
.
|
|
.SH FILES
|
|
.I /etc/selinux/config
|
|
.
|
|
.SH "SEE ALSO"
|
|
.ad l
|
|
.nh
|
|
.BR booleans (8),
|
|
.BR setsebool (8),
|
|
.BR sepolicy (8),
|
|
.BR system-config-selinux (8),
|
|
.BR togglesebool (8),
|
|
.BR restorecon (8),
|
|
.BR fixfiles (8),
|
|
.BR setfiles (8),
|
|
.BR semanage (8),
|
|
.BR sepolicy(8)
|
|
|
|
Every confined service on the system has a man page in the following format:
|
|
.br
|
|
|
|
.B <servicename>_selinux(8)
|
|
|
|
For example, httpd has the
|
|
.B httpd_selinux(8)
|
|
man page.
|
|
|
|
.B man -k selinux
|
|
|
|
Will list all SELinux man pages.
|