Provided by: policycoreutils_2.7-1_amd64 bug

NAME

       config - The SELinux sub-system configuration file.

DESCRIPTION

       The SELinux config file controls the state of SELinux regarding:

              1.  The policy enforcement status - enforcing, permissive or disabled.

              2.  The  policy  name  or type that forms a path to the policy to be loaded and its
                  supporting configuration files.

              3.  How local users and booleans will be managed when the policy  is  loaded  (note
                  that  this  function  was  used  by  older  releases  of  SELinux  and  is  now
                  deprecated).

              4.  How SELinux-aware login applications should behave if no  valid  SELinux  users
                  are configured.

              5.  Whether the system is to be relabeled or not.

       The entries controlling these functions are described in the FILE FORMAT section.

       The fully qualified path name of the SELinux configuration file is /etc/selinux/config.

       If  the  config file is missing or corrupt, then no SELinux policy is loaded (i.e. SELinux
       is disabled).

       The sestatus (8) command and the libselinux function  selinux_path  (3)  will  return  the
       location of the config file.

FILE FORMAT

       The config file supports the following parameters:

              SELINUX = enforcing | permissive | disabled
              SELINUXTYPE = policy_name
              SETLOCALDEFS = 0 | 1
              REQUIREUSERS = 0 | 1
              AUTORELABEL = 0 | 1

       Where:
       SELINUX
              This entry can contain one of three values:

                     enforcing
                         SELinux security policy is enforced.

                     permissive
                         SELinux  security policy is not enforced but logs the warnings (i.e. the
                         action is allowed to proceed).

                     disabled
                         SELinux is disabled and no policy is loaded.

              The   entry   can   be   determined    using    the    sestatus(8)    command    or
              selinux_getenforcemode(3).

       SELINUXTYPE
              The  policy_name  entry  is  used  to  identify  the  policy  type, and becomes the
              directory name of where the policy and its configuration files are located.

              The   entry   can   be   determined    using    the    sestatus(8)    command    or
              selinux_getpolicytype(3).

              The  policy_name is relative to a path that is defined within the SELinux subsystem
              that can be retrieved by using  selinux_path(3).  An  example  entry  retrieved  by
              selinux_path(3) is:
                     /etc/selinux/

              The  policy_name  is  then  appended to this and becomes the 'policy root' location
              that can be retrieved by selinux_policy_root_path(3). An  example  entry  retrieved
              is:
                     /etc/selinux/targeted

              The  actual  binary  policy  is  located  relative to this directory and also has a
              policy   name   pre-allocated.   This   information   can   be   retrieved    using
              selinux_binary_policy_path(3).      An      example      entry     retrieved     by
              selinux_binary_policy_path(3) is:
                     /etc/selinux/targeted/policy/policy

              The binary policy name has  by  convention  the  SELinux  policy  version  that  it
              supports  appended to it. The maximum policy version supported by the kernel can be
              determined using the sestatus(8)  command  or  security_policyvers(3).  An  example
              binary policy file with the version is:
                     /etc/selinux/targeted/policy/policy.24

       SETLOCALDEFS
              This entry is deprecated and should be removed or set to 0.

              If  set  to  1, then selinux_mkload_policy(3) will read the local customization for
              booleans (see booleans(5)) and users (see local.users(5)).

       REQUIRESEUSERS
              This optional entry can be used to fail a login if there is no matching or  default
              entry in the seusers(5) file or if the seusers file is missing.

              It  is  checked  by  getseuserbyname(3)  that  is  called  by  SELinux-aware  login
              applications such as PAM(8).

              If set to 0 or the entry missing:
                     getseuserbyname(3) will return the GNU / Linux  user  name  as  the  SELinux
                     user.

              If set to 1:
                     getseuserbyname(3) will fail.

              The  getseuserbyname(3) man page should be consulted for its use. The format of the
              seusers file is shown in seusers(5).

       AUTORELABEL
              This is an optional entry that allows the file system to be relabeled.

              If set to 0 and there is a file called .autorelabel in the root directory, then  on
              a  reboot,  the  loader  will  drop  to  a shell where a root login is required. An
              administrator can then manually relabel the file system.

              If set to 1 or no entry present (the default) and there is a .autorelabel  file  in
              the  root  directory,  then  the  file system will be automatically relabeled using
              fixfiles -F restore

              In both cases the /.autorelabel file will be removed so that relabeling is not done
              again.

EXAMPLE

       This  example  config  file  shows  the  minimum  contents  for a system to run SELinux in
       enforcing mode, with a policy_name of 'targeted':

              SELINUX = enforcing
              SELINUXTYPE = targeted

SEE ALSO

       selinux(8),       sestatus(8),        selinux_path(3),        selinux_policy_root_path(3),
       selinux_binary_policy_path(3),        getseuserbyname(3),       PAM(8),       fixfiles(8),
       selinux_mkload_policy(3),        selinux_getpolicytype(3),         security_policyvers(3),
       selinux_getenforcemode(3), seusers(5), booleans(5), local.users(5)