selinux(8) SELinux Command Line documentation selinux(8) NAME selinux - NSA Security-Enhanced Linux (SELinux) DESCRIPTION NSA Security-Enhanced Linux (SELinux) is an implementation of a flexi- ble mandatory access(2,5) control architecture in(1,8) the Linux operating sys- tem. The SELinux architecture provides general support for the enforcement of many kinds of mandatory access(2,5) control policies, includ- ing those based on the concepts of Type EnforcementÂŽ, Role- Based Access Control, and Multi-Level Security. Background information and technical documentation about SELinux can be found at http://www.nsa.gov/selinux. The /etc/selinux/config(1,5) configuration file(1,n) controls whether SELinux is enabled or disabled, and if(3,n) enabled, whether SELinux operates in(1,8) per- missive mode or enforcing mode. The SELINUX variable may be set(7,n,1 builtins) to any one of disabled, permissive, or enforcing to select(2,7,2 select_tut) one of these options. The disabled option completely disables the SELinux kernel and application code, leaving the system running without any SELinux protection. The permissive option enables the SELinux code, but causes it to operate in(1,8) a mode where accesses that would be denied by policy are permitted but audited. The enforcing option enables the SELinux code and causes it to enforce access(2,5) denials as well as auditing them. Permissive mode may yield a different set(7,n,1 builtins) of denials than enforcing mode, both because enforcing mode will prevent an operation from pro- ceeding past the first denial and because some application code will fall back to a less(1,3) privileged mode of operation if(3,n) denied access. The /etc/selinux/config(1,5) configuration file(1,n) also controls what policy is active on the system. SELinux allows for multiple policies to be installed on the system, but only one policy may be active at any given time. At present, two kinds of SELinux policy exist: targeted and strict. The targeted policy is designed as a policy where most pro- cesses operate without restrictions, and only specific services are placed into distinct security domains that are confined by the policy. For example, the user would run in(1,8) a completely unconfined domain while the named(5,8) daemon or apache daemon would run in(1,8) a specific domain tai- lored to its operation. The strict policy is designed as a policy where all processes are partitioned into fine-grained security domains and confined by policy. It is anticipated in(1,8) the future that other policies will be created (Multi-Level Security for example). You can define which policy you will run by setting the SELINUXTYPE environment variable within /etc/selinux/config. The corresponding policy configu- ration for each such policy must be installed in(1,8) the /etc/selinux/SELINUXTYPE/ directories. A given SELinux policy can be customized further based on a set(7,n,1 builtins) of com- pile-time tunable options and a set(7,n,1 builtins) of runtime policy booleans. sys- tem-config-securitylevel allows customization of these booleans and tunables. AUTHOR This manual page was written by Dan Walsh <dwalsh@redhat.com>. SEE ALSO booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8) FILES /etc/selinux/config(1,5) dwalsh@redhat.com 11 Aug 2004 selinux(8)