Provided by: policycoreutils_3.3-1build1_amd64 bug

NAME
       config - The SELinux sub-system configuration file.


DESCRIPTION
       The SELinux config file controls the state of SELinux regarding:

              1.  The policy enforcement status - enforcing, permissive or disabled.

              2.  The  policy  name  or  type  that  forms  a path to the policy to be loaded and its supporting
                  configuration files.

              3.  How SELinux-aware login applications should behave if no valid SELinux users are configured.

              4.  Whether the system is to be relabeled or not.

       The entries controlling these functions are described in the FILE FORMAT section.

       The fully qualified path name of the SELinux configuration file is /etc/selinux/config.

       If the config file is missing or corrupt, then no SELinux policy is loaded (i.e. SELinux is disabled).

       The sestatus (8) command and the libselinux function selinux_path (3) will return  the  location  of  the
       config file.


FILE FORMAT
       The config file supports the following parameters:

              SELINUX = enforcing | permissive | disabled
              SELINUXTYPE = policy_name
              REQUIREUSERS = 0 | 1
              AUTORELABEL = 0 | 1

       Where:
       SELINUX
              This entry can contain one of three values:

                     enforcing
                         SELinux security policy is enforced.

                     permissive
                         SELinux  security  policy  is  not  enforced  but logs the warnings (i.e. the action is
                         allowed to proceed).

                     disabled
                         No SELinux policy is loaded.  This option was used to disable SELinux completely, which
                         is now deprecated.  Use the selinux=0 kernel boot option instead (see selinux(8)).

              The entry can be determined using the sestatus(8) command or selinux_getenforcemode(3).

       SELINUXTYPE
              The policy_name entry is used to identify the policy type, and becomes the directory name of where
              the policy and its configuration files are located.

              The entry can be determined using the sestatus(8) command or selinux_getpolicytype(3).

              The policy_name is relative to a path that is defined within the SELinux  subsystem  that  can  be
              retrieved by using selinux_path(3). An example entry retrieved by selinux_path(3) is:
                     /etc/selinux/

              The  policy_name  is  then  appended  to  this  and becomes the 'policy root' location that can be
              retrieved by selinux_policy_root_path(3). An example entry retrieved is:
                     /etc/selinux/targeted

              The actual binary policy is located relative to this directory and also has  a  policy  name  pre-
              allocated. This information can be retrieved using selinux_binary_policy_path(3). An example entry
              retrieved by selinux_binary_policy_path(3) is:
                     /etc/selinux/targeted/policy/policy

              The binary policy name has by convention the SELinux policy version that it supports  appended  to
              it.  The  maximum  policy  version supported by the kernel can be determined using the sestatus(8)
              command or security_policyvers(3). An example binary policy file with the version is:
                     /etc/selinux/targeted/policy/policy.24

       REQUIRESEUSERS
              This optional entry can be used to fail a login if there is no matching or default  entry  in  the
              seusers(5) file or if the seusers file is missing.

              It  is  checked  by  getseuserbyname(3) that is called by SELinux-aware login applications such as
              PAM(8).

              If set to 0 or the entry missing:
                     getseuserbyname(3) will return the GNU / Linux user name as the SELinux user.

              If set to 1:
                     getseuserbyname(3) will fail.

              The getseuserbyname(3) man page should be consulted for its use. The format of the seusers file is
              shown in seusers(5).

       AUTORELABEL
              This is an optional entry that allows the file system to be relabeled.

              If  set  to 0 and there is a file called .autorelabel in the root directory, then on a reboot, the
              loader will drop to a shell where a root login is required. An  administrator  can  then  manually
              relabel the file system.

              If  set  to  1  or  no  entry  present  (the default) and there is a .autorelabel file in the root
              directory, then the file system will be automatically relabeled using fixfiles -F restore

              In both cases the /.autorelabel file will be removed so that relabeling is not done again.


EXAMPLE
       This example config file shows the minimum contents for a system to run SELinux in enforcing mode, with a
       policy_name of 'targeted':

              SELINUX = enforcing
              SELINUXTYPE = targeted


SEE ALSO
       selinux(8),  sestatus(8),  selinux_path(3),  selinux_policy_root_path(3),  selinux_binary_policy_path(3),
       getseuserbyname(3),    PAM(8),    fixfiles(8),    selinux_mkload_policy(3),     selinux_getpolicytype(3),
       security_policyvers(3), selinux_getenforcemode(3), seusers(5)