Provided by: selinux-utils_2.1.0-4.1ubuntu1_amd64 bug


       SELinux - NSA Security-Enhanced Linux (SELinux)


       NSA  Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access
       control architecture in the Linux operating system.   The  SELinux  architecture  provides
       general  support  for  the enforcement of many kinds of mandatory access control policies,
       including those based on the concepts of Type EnforcementĀ®, Role-  Based  Access  Control,
       and  Multi-Level  Security.   Background  information  and  technical  documentation about
       SELinux can be found at

       The  /etc/selinux/config  configuration  file  controls  whether  SELinux  is  enabled  or
       disabled,  and  if enabled, whether SELinux operates in permissive mode or enforcing mode.
       The SELINUX variable may be set to any one of disabled, permissive, or enforcing to select
       one  of  these  options.   The  disabled option completely disables the SELinux kernel and
       application code,  leaving  the  system  running  without  any  SELinux  protection.   The
       permissive  option  enables  the  SELinux  code,  but causes it to operate in a mode where
       accesses that would be denied by policy are permitted but audited.  The  enforcing  option
       enables the SELinux code and causes it to enforce access denials as well as auditing them.
       Permissive mode may yield a different set of denials than  enforcing  mode,  both  because
       enforcing mode will prevent an operation from proceeding past the first denial and because
       some application code will fall back to a less privileged  mode  of  operation  if  denied

       The  /etc/selinux/config  configuration  file  also  controls what policy is active on the
       system.  SELinux allows for multiple policies to be installed on the system, but only  one
       policy  may  be  active at any given time.  At present, two kinds of SELinux policy exist:
       targeted and strict.  The targeted policy is designed as a  policy  where  most  processes
       operate without restrictions, and only specific services are placed into distinct security
       domains that are confined by the policy.  For example, the user would run in a  completely
       unconfined  domain  while the named daemon or apache daemon would run in a specific domain
       tailored to its operation.  The strict policy is designed as a policy where all  processes
       are  partitioned  into  fine-grained  security  domains  and  confined  by  policy.  It is
       anticipated in the future that other policies will be created  (Multi-Level  Security  for
       example).  You can define which policy you will run by setting the SELINUXTYPE environment
       variable within /etc/selinux/config.  The corresponding policy configuration for each such
       policy must be installed in the /etc/selinux/SELINUXTYPE/ directories.

       A  given  SELinux  policy can be customized further based on a set of compile-time tunable
       options  and  a  set  of  runtime  policy  booleans.   system-config-securitylevel  allows
       customization of these booleans and tunables.

       Many  domains  that are protected by SELinux also include SELinux man pages explaining how
       to customize their policy.


       All files, directories, devices ... have a security context/label  associated  with  them.
       These  context  are  stored  in the extended attributes of the file system.  Problems with
       SELinux often arise from the file system being mislabeled. This can be caused  by  booting
       the  machine  with  a  non SELinux kernel.  If you see an error message containing file_t,
       that is usually a good indicator  that  you  have  a  serious  problem  with  file  system

       The  best  way  to  relabel  the  file system is to create the flag file /.autorelabel and
       reboot.  system-config-securitylevel, also has this  capability.   The  restorcon/fixfiles
       commands are also available for relabeling files.


       This manual page was written by Dan Walsh <>.


       booleans(8), setsebool(8), selinuxenabled(1), togglesebool(8), restorecon(8), setfiles(8),
       ftpd_selinux(8),  named_selinux(8),  rsync_selinux(8),  httpd_selinux(8),  nfs_selinux(8),
       samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)